“Sorry, your password is too secure. Please try again with a password no longer than 6 characters, containing lowercase alphabets only.”
I am tired of being told by a website that my password is too long, or contains non-alphanumeric characters which aren’t allowed. I am bewildered that most websites balking at long and complex passwords are financial sites, like bank and credit card sites.
I’m especially peeved because stupid password restrictions throw a wrench into the wonderful password management scheme of on-the-fly site-specific password hashing, which I described in detail before. These restrictions force me to either reconfigure my password hasher PasswordMaker to create short and simple passwords across the board, or forgo the use of password hashing for the financial sites. I chose the latter approach but I’m not happy about it.
This post is a plea to the financial site developers: please adopt sensible password restrictions, that is, no maximum on password length, no limit on special characters.
To put the problem into perspective, review these generally accepted guidelines for creating strong and secure passwords:
Microsoft’s password tips
Google’s password tips
Wikipedia article on password strength
Highlights:
- “Make it lengthy… Your passwords should be 8 or more characters in length; 14 characters or longer is ideal.”
- “Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a “pass phrase”). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess.”
- “Combine letters, numbers, and symbols. The greater variety of characters that you have in your password, the harder it is to guess.”
- “Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.”
Passphrases (mentioned by Microsoft’s guide), are often recommended as a solution for the annoying problem of creating strong, complex, yet memorable passwords. Sentences, due to their length and complexity, are virtually impossible to crack or guess, and yet they are easily remembered. Here are more discussions about passphrases:
Passwords vs Pass Phrase
Passphrase Evangelism
Passphrase FAQ
Compare these guidelines to rules imposed by these financial sites.
Wall of Shame (financial sites that have nonsensical password restrictions)
American Express
Your Password should contain 6 to 8 characters, at least one letter and one number (not case sensitive), contain no spaces or special characters (e.g. &, >, *, $, @)…
Citizens Bank
Valid passwords are case sensitive, 6-12 characters in length…
Discover
5-10 characters, letters and numbers only
HSBC
A 6-8 alphanumeric personal identification code…
USB
Your Password must be 6 to 15 characters which must consist of at least one letter and one number (e.g.: pjones2). It may not… contain special characters or have three repeating characters.
Vanguard
User names can contain up to 12 characters and passwords up to 10.
WaMu
Your Password must be 6 to 8 alpha and numeric characters… Non-alphanumeric characters (such as % } ” >) are not allowed.
These are just some of the many financial sites with similarly nonsensical password restrictions. Financial sites are not the only offenders. Other critical websites with our financial information, like TV, Cable, Phone, Utilities company sites have the same restrictions. Read about Verizon’s restrictions here.
Comment bait: Do your financial sites have similar restrictions?
Can anyone enlighten me as to why these sites, the ones that ought to be the most secure sites ordinary users have access to, implement restrictions that force the use of WEAK passwords? Luke Maciak seems like a smart guy, but he couldn’t figure out why either.
Need a good scare regarding the danger of short and weak password?
“The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password “Fgpyyih804423″ in 160 seconds.”
That post is not entirely accurate, as seen in this response, but it does illustrate the importance of long passwords, and why passphrases are great.
Anyone have other scare stories regarding weak passwords or authoritative password strength guidelines that can be used as ammunition against these financial sites to force them to implement better password restrictions?
If you are interested in improving your password management system, do read about on-the-fly site-specific password hashing.
If you liked this post, please subscribe to my feed. Thanks for visiting!
I love Ophcrack it busted all my windows user account passwords in like 15 minutes, and I only have 3. And one of them is joke actually user admin password admin. lol. Really only one of the passwords was really very secure (I thought), this is my machine and no one else uses it. Tho one of the passwords was like 11 chars long and mixed numbers and letters and another was even longer and used special chars and all. I was surprised Ophcrack busted that last one as it was kinda random. Anyway Ophcrack is an impressive program
You’re right tho banks and such should know better.
This is dumb. No normal site will allow more than 4-10 wrongly typed passwords per username (not even per IP). The account will be simply blocked. Wasted time.
The reason is simple
more protection against SQL injection