Tuesday, July 1, 2008

Stupid Password Policies

I have a friend who has a whole bunch of passwords written down, on a whole bunch of Post-It notes, right next to her computer. Why on earth would she do that? Well, it's not her fault. It's the fault of overzealous web sites that not only force her to have complex passwords, but have conflicting rules. She can't make up one password that she uses everywhere.I frequently recommend that people make up a rule for their passwords -- for example, name of their dog and a number, followed by something they can associate with the web site. This way they only have to remember a single, simple password but have a more complex password. This way, they might have passwords like spot3nile for Amazon, spot3junk for Ebay, spot3green for American Express, etc. But even this fails miserably because there are so many different conflicting standards. It's all part of the fake security that so many web sites have.Here are some of the password policies that I've seen recently:

  • no restrictions at all
  • 6 or more characters, no restrictions
  • 6-8 characters, at least one non-letter, symbols are recommended
  • 6-8 characters, at least 1 letter and at least 1 number, and at least 1 symbol
  • 6-8 characters, at least 1 letter and at least 1 number, and at least 1 symbol
  • 6-8 characters, at least 1 letter and at least 1 number, no symbols allowed
  • 8-12 characters, at least 1 uppercase, 1 lowercase, 1 number, no symbols allowed
  • 6-8 digits
I'm sure the list could be much larger if I did some research. In addition to this, there are case-sensitive and case-insensitive passwords. The thing I hate the most is the insistence on an upper case letter (the USPS web site is one of the sites that does this). I invariably forget the requirement and can't log in. Maybe if their web site said "don't forget: our stupid password policy means that your password has an uppercase letter in it" it would help me. I even use one web site where they use a Flash object that times inter-character intervals to see if it's really you typing your password. If you don't type your password in the same way, they ask you one of three random follow-up questions to make sure it's you. Without fail, every single time I have logged in, I have been asked one of the follow-up questions. Why not just ask it in the first place?!To make the whole situation even stranger, many sites provide a password reset mechanism which is incredibly easy to break. All you need is my zip code and my mother's maiden name, or some nonsense like that. I don't think I've ever seen a question that my brother and my wife wouldn't know the answer to. Hell, my kids know most of the answers!Who exactly are these password policies helping? 

Update: Serendipity! Just saw a New York Times Bits posting on pretty much this same topic: Falling Over Fallback Password Questions. An extra point from a comment that I wish I'd remembered -- how many sites are there that, after requiring you to use a ridiculously long and complex password, that you may well be using on other sites, simply email it to you in plain text when you go through the reset mechanism? What are they thinking?


Anonymous said...

I just posted a lengthy reply to Roy's password rant over on my blog.

Also, would totally have used this picture in my blog post if the author didn't reserve all rights.

Roy Leban said...

@Scott: Thanks for the response.

I do recommend Scott's post about OpenID (and I'm going to post a reply over on his blog as well). Sadly, OpenID is pretty far from being a standard at this point. And, even more sad, I'll bet money that even as it gains in acceptance, web sites will just add a layer on top of OpenID that makes it clunky. That was one of the problems with Passport's adoption (one of many problems, and I know them well -- I worked very closely with the Passport team while at Microsoft and am a co-inventor of a Passport-related patent as well as another one that's pending).

Vidoop seems like a reasonable solution, but I haven't compared it with the competition.

Experimental Knitter said...

I won't disclose my password policy but I answer the stupid questions (I find most of them either irrelevant or insulting) with an expletive phrase I can remember. Helps me vent at the same time.

Jeff Sung said...

I think these websites simply use modified web module. It's just a pain in the axx. I don't know why they make the username and the password so complex since you can't do anything other than pay the bill. I guess they are trying to prevent someone pays the bill for you? The most stupid website I have ever seen is American Water company, they're not just ask for complex password, they even ask for complex username, such as 9-12 characters, at least 1 uppercase, 1 number, no symbols allowed. What's the point? I understand some website might have your personal information, but a water company? I can't even see my full account number when log in.. It just doesn't make sense. I kept forgot my username, and they ask for account number to reset. Since I check the paper less option, which leave me no way to find my stupid account number.. very stupid..

Jeff Sung said...

I have a complex password for all my accounts. It has 16 characters, combined with numbers and symbols. It works quite well until I sign up a online account with American Water and Athena Service(trash collecting). Beacause their stupid password rule not allow symbols. Conbining the symbols is the best way to create a strong password, if the key point is protecting your account, why not allow symbols?

Sorry for whining here. The artical make me feel better now :)