- Password requirements (legal and illegal characters, length) are not explicitly stated
- Accounts can be created with passwords that contain illegal characters without showing an error
- Passwords can be reset to new passwords that contain illegal characters without showing an error
Someone uses a password manager to create a randomly generated password for the account. This password contains some illegal characters (unknown symbols because the site doesn't state what they are) but the account is successfully created (no error message given). When the user goes to log into the account using the password accepted during registration, they receive an error saying "Username / password do not match." The user doesn't understand why they're not able to log in.
The user goes to reset the password, creating another randomly generated password with the same criteria (character set). The password reset is "successful" (accepted with no errors given) but when they go to log in again, they get the same "Username / password do not match" error.
Now the user might guess that it's an issue with the site not accepting the password but they don't know why. Was the password too long? Did it contain illegal characters? They need to keep resetting their password, trying different things and testing it after each reset. I needed to reset my password 3 times before I figured out it was because of illegal characters (first time with same criteria as initial password, second time with same character set but shorter, third time more characters but alpha-numeric).
This sort of thing reflects pooly on the site because users could wonder if passwords are being handled securely behind the scenes as well (Are they being sent in plain text? Are they being hashed and salted? Are they being stored securely?).
Edited by nPrime