Web Sites Lacking In Password Quality
Hi Fred, I just got around to reading the June 20, 2005, Langa List article ( http://langalist.com/plus/newsletters/2005/2005-06-20plus.asp#1 ) (and its counterpart in Information Week http://www.informationweek.com/story/showArticle.jhtml?articleID=164303537 ) on password security. I've long been a proponent of really good passwords (much to my wife's annoyance, since I refuse to let her use our kids' names, etc.) and I have also used Roboform for a number of years both to generate and save my passwords (I have something like a six or seven hundred accounts, services, etc, that require passwords, so a good tool is essential, and Roboform is well worth the price many times over IMHO). I'm writing to vent about a password related pet peeve, to wit, almost none of those companies, services and so on who require you to set up password protected accounts tell you what their allowed password characteristics are at the point where you have to choose a password. The forms say, "enter a password" but they don't say which characters they allow: upper or lower case only (and do they respect case sensitivity)? do they allow numbers? symbols? punctuation? They also don't tell you how many characters they allow: 6 characters, or 8 or 12 or 36 or what? You can't tell. So then when you enter a good, random password of, say, 24 characters using upper case, lower case, numbers, symbols and punctuation, the form comes back with a really useless error, usually something like "invalid password - enter a valid password to continue". So, you are left to guess what rules they used to define "valid" passwords. And nobody has the time or patience to work their way slowly down to the strongest combination of number and type(s) of characters allowed in each particular instance by trial and error, so you're essentially forced use the lowest common denominator, ie, a relatively short password including only one or both cases of letters, or maybe letters and numbers. And this, of course, makes the whole point of your article moot and whatever it is you are password-protecting many times more vulnerable that it should be.
The truly irritating part is that it would be so easy for developers to inform users of the rules that define valid passwords on their site, and yet very few of them ever do. All of which makes it very frustrating for those of us who try to implement your advice and use truly good passwords.
Thanks for listening and for a great newsletter! ---Brad Terry
As you point out, too many companies maintain Web sites that actually prevent you from using strong passwords and/or don't communicate the password restrictions, parameter and requirements they've built in. When the password-protected resources are trivial--- say, your subscription to The New York Times online--- it's no big deal. But many sites hold extremely important customer private information and really should be more responsible with password policies.
Digg
Del.icio.us
Reddit
StumbleUpon
Other
Permalink
