This isn’t something I normally write about, but after the hundredth time creating an account with random password or username restrictions I am starting to lose my patience with companies.
If you are going to require that my username or password have special characters, numbers, capital and lowercase letters, or anything else, show those requirements on the login page
No, hiding this information on the login page isn’t making your site more secure. Anyone trying to crack/guess someone’s username or password can easily pretend to create a new account, discover the requirements, and then use them as they see fit. Do you want to know who doesn’t do this? Real users.
The only people you are hurting by not displaying these requirements are real users like myself. Real people who visit your site and think, “Oh crap.. I don’t remember what special username/password requirements this site had…” and then spend the next 10 minutes trying to remember and/or guessing.
Finally, after twenty guesses or so, they will finally cave and fill out the “Forgot username/password?” form only to get the username in my email and think “Well shit, if I knew that was my username I would have been logged in hours ago.”
Or even worse, when they go through the flow to reset their password only to realize what their password is after their first is rejected for not including a greek character. They then head back to the login form and sign in, having wasted 15 minutes of their life.
If you want to require special characters, numbers, or even yogurt flavors in a user’s username or password I can deal with that. What drives me insane is keeping these requirements hidden when what a user has typed in clearly doesn’t meet them.