Also, could you make it a bit clearer that & (ampersands) are not allowed characters in the password. Putting a red box around the password field when I've met all of the criteria listed above it is not very helpful. Not off to a great start I'm afraid.

I'm afraid it isn't. Browsers haven't let you copy _from_ a password field in years. The only way you could fat finger it is if you'd made a mistake while typing it somewhere you could see (eg Notepad) and copied it from there. Granted that could still happen, but that's not a reason to destroy best practices for the rest of us

@Anonymous: True, that was my assumption and I apologise. I was working on the principle that the effort required to open up a new window to type in a password to then paste it twice into a form would probably be equal to or greater than just typing in the password twice so didn't think that was what you were suggesting.

It just seems a strange place to draw the line though as far as security is concerned. Why don't we go one step further and make it so that people can't choose their password and it's just their birthday instead, then no one will forget them at all! It may sound like a ridiculous point but it's basically choosing somewhere on the line between security and convenience, and in my opinion (as well as a lot of security professionals out there) this is slightly too far down that line.

@jaread83: Yes, basically. This restriction doesn't exist on the login page thankfully, so I can use the password manager fine there. I don't actually expect anyone to listen to the first post, as security doesn't seem to get much love at Plusnet (Passwords, more passwords, Email security) but the main piece of frustration for me was that I had to type the (secure and lengthy) password in by hand numerous times with it just giving me a red box around it (with me naturally assuming that I'd fat fingered the password while typing it in twice every time) before realising that the ampersand was not an accepted character.

Having the ampersand as an illegal character for password should definately be given some attention, that much I am sure about. I will raise an internal ticket about that and it should get passed to the relevant team.

As for the password copy/paste js.. I have done a bit of searching around and it seems to be a universally hated 'security standard' and there doesn't seem to be any kind of guidance on where it started and who first implemented it. Out of everything I read, this is one of the more reasonable arguments for using it that I found:

Ignoring the Security concerns, keeping in mind that the password text is not visible (just asterisks/dots), a couple major UX reasons I can think of are:

• Depending from where you are copying the password and where you are pasting it, you might end up with messed up clipboard entries (changing text from utf-8, html, richtext, docx, etc or something else).

• Another common mistake will be copying empty spaces.

The outcome:

• Frustrated user who cannot understand why his seemingly correct password is not working.
• People thinking they were 'hacked' and their passwords changed.
• In situations where only limited attempts are allowed, this can result in the account being locked.

So I am not entirely sure what to do with that, I am sure that the devs had their reasons for including this, maybe part of a security audit or it was requested by someone higher up in the development team... I can't say for sure.

I will ask a few of our security devs about this, maybe we can get this removed but I can't promise anything at this moment as I may get vitoed on it.

I very rarely type passwords either when creating them or logging in as I use a password manager. When creating a password I adopt the following procedure:

1. Generate the new password using KeePass and make it temporarily viewable in there
2. Copy paste/paste the password to the website's first box.
3. Save the new password in KeePass and save the KeePass file.
4. Use the double click on the password in KeePass to copy the password to the clipboard (KeePass automatically removes it from the clipboard after 15 seconds)
5. Paste it in to the second password box on the website.

As typical passwords I use look like these:

QNqvFkg8A@RFevy@mwxY
/6,^P7LT?#0_l!XGVe|0
WCu^gyuvUb0Wx;b;'CV:

 there is no way I am going to try keying something like that twice when setting the password. Plus to be able to key them I have to resize the browser and KeePass windows so I can see both at the same time.

Websites that block copy/paste make me use simpler passwords that I am more likely to be able to key correctly twice. And if the website stops KeePass being used to enter the password when logging in that guarantees I will use a shorter easier to key (and hence less secure) password.

Plusnet: is it your intention to push those of us that take setting secure passwords seriously in to using less secure passwords on your site?

jelv (a.k.a Spoon Whittler)    Why I have left Plusnet (warning: long post!)    Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month)

@jaread83

How about a tick box "I am using a password manager" that enables the copy paste?

People who don't understand the question are likely to leave it unticked, those that do will understand will tick it.

And it might encourage some that don't understand to find out what it is about and start using one which can only be a good thing!

jelv (a.k.a Spoon Whittler)    Why I have left Plusnet (warning: long post!)    Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month)

I create my own secure passwords always with a mixture of upper/lower case, numbers and special characters. I take security seriously but would rather rely on my own memory than use a password manager but that is just a personal choice.

Are your passwords like words with characters replaced with numbers and special characters so you can remember them, or are they totally random like the samples I posted?

jelv (a.k.a Spoon Whittler)    Why I have left Plusnet (warning: long post!)    Broadband: Andrews & Arnold Home::1 (FTTC 80/20) Line rental: Pulse 8 Home Line Rental (£14.40/month) Mobile: iD mobile (£4/month)

They are usually based on words in SWMBO's native language. Except for some basic forum access going back years where none of my real details are held anyway.

Had to look up SWMBO. Like it