Mar 31 2008

Due to work I was compelled to install skype the other day. Let me make it clear that I don't want this closed-source, commercial, GUI shit program installed on my laptop, but hey it's what the masses use cos they like eyecandy over functionality. I always have a really short temper when it comes to closed source applications, and even shorter when it comes to commercial software, so a mix of the two is like nano and comic sans.

I signed up for an account through the program itself. As far as sign ups go it was pretty harmless. For a password, I picked a phrase, like I do with many of my passwords. I'm a quick typist, and a short phrase appeals to me as a password because it's easy to remember, yet more secure than a simple word.

My account was created fine, and I started using skype. I closed the contacts window. Whoops, big mistake - that leaves skype running, but in a window manager like Ion, there's no way to get the contacts window back. So I killed skype and restarted it. But when I went to enter my password, the moment I typed a space the 'sign in' button was disabled. W . T . F!

There goes any credit Skype had with me. And I haven't even started using it yet!

I filed a support request with information on this bug, and got back a generic password reset e-mail. No explanation why I should have to change my password just to work around their own stupidity.

So, for the benefit of Skype, A.K.A Retarded software R Us, here are three basic rules when it comes to password validation:

  1. Don't enforce a maximum length

    A minimum, sure. There are stupid people out there who will pick 'abc' as a password. But why would you ever need to set a maximum? You are hashing the passwords in your data store, so they're all the same length to you anyway. Right?

  2. Don't ban characters

    There is no reason to ban any character in a password! If the user wants to input spaces, nulls, snowmen or useless math symbols, there's no reason to stop them. If you've banned spaces, how am I going to use a passphrase? You've actually decreased the security of your application, in a sense.

  1. Always perform the same validation

    I found this problem because the validation for my password when signing up was not the same as when logging in. This is basic stuff people. Always use the same validation, and there will never be a problem, will there?

So Skype, you can take your password validation and stick it where the sun don't shine. Meanwhile, I'll stick to open source software - software I can at least fix.

Like this post? Subscribe to my RSS feed and follow me on twitter to hear about new posts early.

Want to share this post?

blog comments powered by Disqus