I'm having a bit of trouble over at Gamestop trying to change my password. The brilliant thing is that they don't have a help page dedicated to it and the one dedicated to Impulse subscribers doesn't actually load. Needless to say I won't be spending any more money there any time soon.

But, this brings me to a point that's often ignored. How stupid, lazy or cheap can you be to not bother to verify that the password that's been input is one that the site is going to allow? It's rather shocking to me how often I'll put in a password that's too long and where the site doesn't verify that it's valid. What's more it shocks me that there's this surprised expression when I tell them that it isn't something that competent programmers would miss.

Password validation is something which is incredibly important if you want to be using it as a part of the security for the site. What's more people tend to assume that if they know what the password is that they can just enter it and gain access.

Incredibly lazy.

I have seen a case (not regarding passwords) where two checks were made, both client-side with Javascript and serverside with whatever they were using, and neither accepted an input that the other would validate as one passed if(a>b) and the other passed if(b>a) (had to Firebug that Javascript to get through).

It's sort of a wonder that it's not more common given how cheap people are with things like that. The opposite problem I've seen is where one can't validate because they missed a deadline and the site doesn't have a provision for that.

I'm surprised that the whole mentality that a website is a cheap way of hocking goods is still around, I doubt it'll change for American sites until there are consequences to screwing it up.

Even Steam has issues with username/password validation. Depending where I try to log in from via the website, it'll always fail the first time I enter correct information. I have a feeling it's because one routes (either Store > log in or Community > log in) is case sensitive for usernames, while the other isn't.

But I really don't get why people take validation in that area as something to do in a quick n easy manner without fully testing all possibilities. At least when I code such systems, I take a lot of time ensuring every outcome is anticipated - and then some.

I may not think much of my general coding ability, but I am fairly proud of the validation system I created.

It's also something for which there are probably libraries one can use. Validation isn't always easy, but when it comes to password lengths, I mean, come on. Any programmer that can't figure that out really shouldn't be writing code that involves the need for authentication.

It always gets me when I'm talking with support and they're non-commital about whose fault it really is. I get that it's common practice to deny liability, but honestly, it's not like there's any question about whose fault it is.

On the brightside, this effectively prevented me from spending $12.79 that I probably shouldn't have spent.

If they have a maximum length on passwords they are doings something very, *VERY* wrong. It suggests that they are actually storing your password, as opposed to salting and hashing it. No capable programmer would impose a maximum limit on password length - quite honestly, we don't care. We *want* it to be longer so you don't complain to us about being hacked. It suggests that there is something very wrong with how Gamestop (and Impulse) is/was storing passwords.