I know that the average user doesn't understand much about information and security and so I can appreciate the need to provide some form of password validation on form submit. However, forcing the use of "special" characters and requiring numeric values have nothing to do with password security. Now, Verizon doesn't enforce the special characters, but it does require a numeric value, so that's a little step in the correct direction, however, spaces are not allowed. There's also the pretty looking check marks and password strength meter to give the user the illusion that their password is "safe". But all of that can be thrown away because there is a max password length of 20. Yes, 20. Seriously guys? Is it too hard to throw Varchar(255) in your database? And guess what? it doesn't take any extra space if the user decides to only use 8 characters in their password. consulta la xkcd: Password Strength as a guide for what a real strong password looks like (please read the explanation if that's over your head). Note the lack of special characters and numbers and please also note that the example password is 26 characters long. Want to increase password security? Require the user to create passwords that are a minimum of 20 characters long and not a maximum of 20 characters. Password Dictionaries and Brute forcing are the only ways to "hack" a password. Requiring stupid restraints like special characters and numbers makes the password even less secure because it usually causes the user to store their password in plain text somewhere because they can't remember it! And lastly, WHY IN THE WORLD IS MY 20 CHARACTER PASSWORD CONSIDERED "too easy to guess"??? I would like to see any program guess my 20 character password. Come on; you already lock the account after a few attempted tries which literally stops brute forcing.
P.S. I tried a password with the word "black" in multiple positions throughout the password and each time that caused the "too easy to guess" flag to be thrown. However, the word "white" was allowed. Is this a joke?
I would like to add my point: 4 randomly chosen, common words concatenated together is easier to remember and more secure than what most people pick: a single word with some special, captial, and/or numerical characters thrown in. Verizon, can we please do something about this?