I’m game, I hate bizarre password rules too

I’m currently signing up to try out RescueTime, and wasn’t entirely sure about the prospect – but a good bit of opinionatedness has swayed me:

OK, the “watch for mistrakes!” is a tiny bit too unartfully kooky, but that’s forgiveable.  What really impresses me is the help text given for the password field:

We hate bizarre password rules. Keep it over 3 characters, but otherwise feel free to make it as secure or insecure as you want.

This is great!  So many misconceptions fly about around the nature of a “strong” password.  Web application developers take it upon themselves to “educate” the unwashed masses of the benefits of picking a hard-to-guess password, and increasingly force you to pick “at least one number” or “at least one non-alphanumeric character”.  So people think that pa$$w0rd is a significantly stronger password than password, just because Facebook tells them so.  What’s missed is that once passwords get to a certain level of complexity, they become impossible to remember.  So the user is forced to reset their password every time they use the service, or note it down somewhere, or have it emailed to them.  It opens up further points of insecurity.  So jam isn’t going to keep even a basic brute-force attack especially busy, but jammertime might! Plus, you can remember it. Plus, it’s up to you, and you as a user are not forced to abrogate your own responsibility to keep your account access secure by adhering to someone else’s nannying over-simplifying AJAX widget.

So I was pleased RescueTime wears its opinions on its sleeves, and doesn’t take me for an idiot. Because, well, we share enemies, and I suppose that could be the start of a beautiful relationship!