My debit card uses Verified by Visa, a service where online purchases through member banks ask you for a password to complete the purchase. One problem with this service is they have some lame password restrictions (a-z, A-Z, 0-9, no special characters) so I can’t use my “common” set of passwords with the system, and I don’t use the system often enough, therefore I’m always “forgetting” my password.
So I just did a transaction with a domain registrar in France, failed the password check, reset my password, and then completed the transaction. Two minutes later I got a phone call from Visa wanting to verify that it was in fact me who performed the transaction. It all could have been avoided if they had just posted their password requirements when you go to login. I wish all websites would post password requirements on their login screens.
I don’t think posting password requirements would be that big of a security risk, since if you’re trying to break into the system you probably figured the requirements out through other means (like another account you created on your own, or bozos like me that post the password requirements elsewhere–see above). Almost every single time I have to click the “forgot your password?” link on a login screen I didn’t actually forget it–I just couldn’t figure out which password I had used because I didn’t know their password requirements. It usually goes like this:
“Oh yeah, this is the site that only allows letters and numbers, and you have to have at least two of each. I want these last two minutes of my life back thank you.”
Sometimes they add insult to injury by forcing me to change my password when I click on the “forgot your password” link. When I pick a “new” password I end up discovering my old password when they say, “your new password can not be your old password.”