Auto-generated passwords.

When you create a new account on a computer, some software or a website, you will normally be asked to create a password at the same time. On occasion, however, the system will automatically generate a password for you without asking if you would prefer to do this yourself. There are a number of reasons for this and one, for websites at least, can help to reduce spam as automated scripts would have a great deal of difficulty discovering this new password, thus preventing the script logging in and pasting adverts all over your forums, comment fields or messaging other users etc.

While this is not a bad thing in itself, it does require that system designers place more thought into the way they handle passwords than they normally need to when it is being supplied directly by the user. I suggest that, due to not knowing what fonts a user will be viewing the information with and recognising that not all fonts are equally legible across the full range of characters, some characters and numbers should be excluded when auto-generating such a password.

For many fonts, “O” and “0” are very difficult to distinguish between (in case your own font has those too similar... the first is the letter “oh” and the second the number “zero”). Other such issues arise from use of “l”, “I”, “L” and “1” (uhm... if I get this right, the order there is “lower case ell”, “upper case eye”, “upper case ell” and “the number one”). In some cases “v” & “u” and “V” & “U” can also be confusing to read. When it comes to the difference between “s” and “S”, it is usually easy enough to work out which has been used as the height in relation to other characters gives it away. Then again, some fonts are less careful on the height difference than others, so while less of an issue perhaps, it's still worth considering.

In many of the above cases, a font will make it clear which is which … as long as both options exist in the text, but of course this may not be the case. Equally, there should be no issue if you are simply copying the password and then pasting into the password box shortly after, but this will often not be the case and certainly can not be relied upon being the case.

On a slightly different, but no less relevant, note is the issue of the “#” character. Apple keyboards don't seem to have this common key, so avoiding its use entirely would be a good idea if you don't want to annoy all your Apple based users! (Note for Apple users who don't already know, I've been informed that while the character is not printed on the keyboard, it is accessible with the combination Alt+3. This is only confirmed for UK layout keyboards, so if that doesn't work for you, time to have a web search or ask someone locally.)

In summary, I would urge system designers and developers who have a genuine need to auto-generate passwords to consider avoiding the characters mentioned in this article and considering any additional characters that may present confusion. I suspect I have not provided the full list above, but instead only a list of those I have personally found to be the most problematic.

EDIT: To follow up this article, find the article titled "Safe character list for use in auto-generated passwords" in the Resources section.