[tech] Password, password, what have you heard?

As you might imagine, I’ve been doing an enormous amount of work lately on various Web sites. Banking, financial services, health insurance, disability insurance, Social Security, and so forth.

One thing which has surprised me considerably (though it’s hardly news) is the number of Web sites dealing with healthcare and financial information that have weirdly simple password rules. Some have eight or twelve character limits. Many will not allow any non alphanumeric characters, so the user cannot include characters such as *, &, _, !, and so forth. Which in turns means the passwords are much more easily hacked. Some are not case sensitive.

It’s a very weird mishmash of standards which will make any coder, or anyone with even a passing understanding of security, cringe.

I really don’t get this.

6 thoughts on “[tech] Password, password, what have you heard?

  1. Jaws says:

    It’s not about the passwords.

    It’s about what people DO with the passwords, and it’s a problem that has been plaguing cryptology for at least a millenium and a half. How do you remember a password, especially one that is not used every day (or automatically entered by your software, which is an additional complication)? There are raging debates in the crypto community and among “security specialists” — for that same millenium and a half, and showing no sign of abating — over how to keep people from putting the critical passwords for the Doomsday Device on a stickynote attached to their computers. One major school of thought is that it’s better to have a slightly less-secure password that will be easy enough to remember that it won’t be compromised this way… especially given the (often illusory) backup of physical-access security.

    And then there’s the problem of reading bad handwriting…

    There isn’t a true solution. As a snide remark, multilingualism (especially mashing up disparate words from different languages) would help… to steal from Cliff Stoll, the password “robotcat” is difficult enough to guess, either directly or through automated means; “roboTgaTo” is much harder, relatively short, and still easy enough for the actual user to remember that it won’t be on a pad of paper in the top-left drawer of his/her desk.

  2. J.R. Murdock says:

    One thing I’ve learned about passwords over the years, many have a minimun, very few have a maximum. Also, the longer your password, the stronger it is regardless of special characters, numbers, caps, etc. The reason is the number of possible combinations increases with each letter. So it’s actually better to have a longer password than a complicated password.

    This 1$ a tEst!
    isn’t strong than…
    This is 1 very long password that no one will figure out!

    Which one is easier to remember? Yes, it’s longer to type out, but I can type the second one far faster than the first and the second is far harder for a hacker to decode due to the number of possible combinations.

    Unless, of course, they hack into the system and gain your password that way, in which, it doesn’t matter what your password is.

  3. Kitten herder says:

    I too have encountered this plague of short-sighed stupidity. The underlying reason is pure technical laziness. It is not very difficult to add a server-side function that prevents a password value from being used for SQL injection, or other evil techno wizardry. Financial institutions who do not FORCE the use of special characters in passwords, and do not require a minimum of 14 characters are ticking time bombs.

    Everyone wh encounters this situation should complain to there institutions and threaten to take their business elsewhere.

    I have nearly 15 years of experience in the information security field, half of which was spent dealing with penny-pinching techno-idiots in the banking sector.

    The only ones who are close to getting it right are the sites who require two-factor authentication, especially the ones that use token devices that generate a new partial-key every minute (some do it every 30 seconds).

Comments are closed.