Passwords UX

I’ve just been through the process of claiming a tax refund. To do this I first had to create¬† something called a Government Gateway Account. As well as giving me the slightly queasy feeling that I would now exist forever on yet another database I also, inevitably, had to create yet another password that I will henceforth have to remember. Also forever. Here’s the password creation screen:

Government Gateway Account password creation screen
Government Gateway Account password creation screen

This does not fill me with confidence. Not at all. Not even close.

Firstly the 12 character maximum length just screams “we store your password in plain text in a CHAR(12) column, so there” at me. Like its 1993 and we’re using CGI or something. No hashing. No salting. Just a nice text column that our legacy platform can read, and that the techs can run a SELECT on when you forget your password or they fancy a giggle.

And the no special characters rule instantly activates my “we don’t do SQL injection mitigation at the backend, and we don’t care” detector. Because the platform probably dates from before the time that anyone considered that it might be connected to the internet.

Oh, and the big fat BETA at the top: I get that it’s probably meant to look exciting, but it doesn’t fill me with hope. This is my government ID. Where’s the smartcard authentication? Can I use my Yubikey? Nah, none of that stuff.

Bah. Whatever. As long as I get my refund.