Sun 13 Nov 2011 11:34:11 AM PST
Forgot Password Only
Asa Dotzler's "websites, you're doing it wrong" is a good list of silly password rules from various web sites. (another good one: your password can be any length, but we only check the first eight characters. If you're into correct horse battery staple-style passwords, that's trouble.)
I have a confession to make. If I don't use your site much, I'm probably just using the "forgot your password" workflow every time. So, as long as we have crash-only software, let's make Forgot Password Only Software.
I'm going to assume that everyone is going to forget the stupid password, and optimize for that. (People who haven't forgotten the password have been using the same password on so many sites that they might as well not have been using a password at all.)
Next web application I do will have one or more of: mail me a login URL, ssh to the server to get a login URL, log in with (some set of big web sites for which users have a real password), BrowserID, maybe some others. (I kind of like the choice of "ssh to the server for a login URL" for the Rick Moen types, and "log in with example.com" for the Kool-Aid drinkers.)
But I will never again be arrogant enough to believe that users will make unique, high-quality passwords just for my web site. I don't do it for other people's sites, how could I act like people would do it for mine?
Bonus link: Crash-only software: More than meets the eye