I suppose there's some security issue with posting the password requirements directly on the log-in form
I don't think there are, really. If they have password restrictions that make passwords worse (eg. no unicode, no spaces, maximum length) then it might make it worse to publicise that, but the real problem is doing it in the first place.
And if they have positive-but-annoying restrictions, then it might help a hacker very slightly to know that people need at least N non-alphanumeric characters, because many people will have _exactly_ N. But if they're brute-forcing, they'll probably try all of that anyway.
I've spent ages asking around "is there a reason websites do X", and sometimes there is, but depressingly often, there isn't.
no subject
Date: 2013-07-25 01:44 pm (UTC)I don't think there are, really. If they have password restrictions that make passwords worse (eg. no unicode, no spaces, maximum length) then it might make it worse to publicise that, but the real problem is doing it in the first place.
And if they have positive-but-annoying restrictions, then it might help a hacker very slightly to know that people need at least N non-alphanumeric characters, because many people will have _exactly_ N. But if they're brute-forcing, they'll probably try all of that anyway.
I've spent ages asking around "is there a reason websites do X", and sometimes there is, but depressingly often, there isn't.