For obvious reasons, Microsoft employees are asked to refrain from bashing other teams or products in their blog posts. But with the dismantling of the Money product line a couple years ago, I feel the statute of limitations has expired and I can share a useful lesson.
At one point, I changed the password for my bank, and then went in to update the corresponding password in Microsoft Money so I could continue to download statements. Unfortunately, upon entering the password, I was met with this error box.
Here is a product, which is charged with protecting my most important data, and it is telling me that it can’t accept a password which any typical computer-savvy user would consider a normal “strong” password. After seeing this message, my brain stopped working. If anything, a product which deals with access to someone’s money should favor the uber-paranoid side of the security fence. But here was a product that actually limits a password’s complexity and forced users to a weak one.
I can understand reasonable limits on length as there may be storage or processing concerns (I’ve run into web sites where an eight-character password was too long, and no, that is not a reasonable limit). But if you are working on the password-processing feature of your software, gimping a password’s strength is something that should be avoided at all costs.
As an aside, you can use this utility to help gauge whether or not your password is strong.