Since secure email passwords are critical and we should include symbols and
special characters to increase security, I can’t understand why ISPs such as
AT&T U-verse, Comcast, etc., do NOT allow any of the above in setting up
passwords. Their tech people just can’t explain it. This boggles my mind.
In this excerpt from
Answercast #59, I discuss possible reasons for password limitations and
suggestions to keep your passwords secure.
Become a Patron of Ask Leo! and go ad-free!
Boggled by limited passwords?
It does me too to a certain degree. I kind of understand it; I’m not going
to excuse it.
I honestly believe that you’re quite right. There should be no reason not to
allow special characters and in fact, there should also not be a length
We’ve been recently hearing about length limits imposed on Microsoft Hotmail
accounts of only 16 characters. And while that might be sufficient, if you
choose an appropriate 16-character password, I don’t believe that it’s enough.
There is really no technical reason that a 16-character password should be
So, with that little bit of griping out of the way… my understanding (the
reason I at least sort of understand where some of this comes from) is that many of these systems (particularly the larger, older ISPs) have been around for so long that a lot of what they’re dealing with is what we call politely “legacy” systems. Put another way these are “older than dirt” systems that were actually crafted back in the time when password length was not nearly as much of an issue – and in fact, password complexity wasn’t as much of an issue.
And, on top of that, there were often barriers to using certain characters.
There were escape characters that could not be transmitted between whatever it
was you were typing on and the system that was receiving it.
I don’t mean the Escape key. I mean characters that were used to signify
something special. An exclamation point, or a dollar sign, or any number of
things would actually be intercepted before they reached the destination
system. As a result, you could type them all you want, but they might not
actually show up in your password.
There’s no reason for that today. I’m not saying that’s the way things work
today. But it definitely is the way that many systems were architected in the
past. Unfortunately, many of these systems that have come forward, even into
this 21st century, are now built on some of the same code (or built with some
of the same assumptions) that were requirements back in the day.
It’s unfortunate. I really don’t know a way around it other than
complaining. Perhaps, I suppose a certain amount of public shaming of these
ISPs… but the point is that you have to work with what they give you.
Creating secure passwords
If what they give you isn’t sufficient for your needs, then you need to take
extra steps. Extra steps including perhaps not using them for some of the
more secure things that you might consider using them for. Or perhaps not using
them at all and switching to a different system.
What we often say is that length is more important than special characters.
So, I’m actually not as concerned about the number of special characters that
are disallowed as long as the password can be made significantly longer.
By significantly longer, I’d say (I don’t know…) a minimum of 20 to 30
characters at least. Some way that you can actually type in a “pass phrase,”
because those are going to be significantly harder for hackers to crack in many
Unfortunately, like I said earlier, we have systems like Hotmail where
they’ve artificially limited the length of the password. I don’t know what
their current stand is on special characters; I believe they allow special
characters. But if a password is going to be artificially restricted to some
annoyingly short length…
Sixteen isn’t quite annoying other than the fact it shouldn’t need to be
there. I know of systems that do allow only eight-character passwords! With
those, you should definitely be allowed to, and you should be using
random characters (special characters and so forth) to keep your password as
secure as possible.
But the short answer is… aside from historical reasons (aside from the
complexity of changing existing systems, large existing systems), there really
is no good excuse for not allowing both lots and lots of special characters
and having exceptionally long passwords as an option for most users.