Websites shouldn’t reject passwords generated by browsers

When I decided to get the domain š for my blog, I had to find a domain name registrar that supports .eu domains. My first choice was Netim (I forgot why). I added my order for š to the cart, and the next step was to create an account. My browser, Firefox, offered to generate a secure password, which I of course accepted, but when I tried to submit the form, the website showed the error message “The password provided is invalid”.

Netim. Create your account. Your password should have at least one symbol. The password provided is invalid.

I was confused. According to the tooltip, the password meets all the requirements. It even says that it’s a strong password. So what’s the problem? I didn’t have the patience to figure out the reason, but it turns out that when Netim says “at least one symbol”, they don’t mean any symbol; they mean one of the 13 supported symbols that are listed in the tooltip. I’ll leave it to you to figure out which symbol in the password generated by Firefox is not supported. What a fun game, huh?

I reported this issue to Netim, and they said that they asked their dev team to add more characters to the list. They should probably test their account creation form in every major browser, since different browsers use different algorithms for generating secure passwords. If I were an expert in this field, I could give you better advice on exactly which symbols to support (all of them?), but one thing seems clear to me: Websites should not reject passwords generated by browsers.

Reply on Mastodon