
It’s 2016 already, how are websites still screwing up these user experiences? - manigandham
http://www.troyhunt.com/2016/01/its-2016-already-how-are-websites-still.html
======
mschuster91
> When you block a character, I’m going to assume one thing: your input
> sanitisation and your query parameterisation sucks.

Not really. This is to reduce issues with users unable to login because...

1) they might have used symbols like [, { or similar while registering on a
Windows machine - and they cannot find these symbols written on a Mac keyboard

2) Umlauts - these are not available in foreign countries and no one knows the
escape sequences out of memory

3) They're on the phone and cannot see the password in cleartext (and thus
cannot spot input errors). Seriously, I accept that asterisk stuff on PCs
where you might be connected to a projector or someone glances over your
screen. But on a phone? Anyone looking over your shoulder can already see what
you typed!

> Delayed pop-over ads – evil personified

I might accept these when I can close them with Esc like any other modal
window in my OS. Kill that behaviour and you deserve to rot in hell.

> EU cookie warnings – this is just plain stupid

Thank the EU for this bullshit, they mandated it.

~~~
manigandham
The password field should allow anything because it all gets hashed to the
same size string with safe characters in the end.

If users choose something funky that's their problem but if they're typing
like that then they'll probably do so on all of their devices. It also
discourages the use of randomly generated strong passwords with password
managers by having these weird rules.

~~~
mschuster91
It 'd be great if the password field could encode the required rules so that a
password manager could automatically generate the strongest password.

