You can't secure what you don't acknowledge.SM

Tuesday, May 5, 2009

Hilarious/ridiculous password requirements

I came across some very laughable Web-site password requirements with some sites I've used recently that I wanted to share. The need for us to use strong passwords/passphrases on the Web is pretty obvious. I also believe in balancing security with reality and not going overboard.

My first example is just that: overboard. It's AT&T Wireless. Check out their ridiculous password requirements:
Your password is case-sensitive and must:
- Be six to twenty characters in length.
- Not use characters other than letters and numbers (e.g. *, &, #, ", etc.).
- Not match your first or last name, or the combination of some or all of your first and last name.
- Not use your date of birth in any combination (e.g. MMDDYYYY)
- Not include the first four to eight digits of your wireless number.
- Not match part or all of your account number.
- Not match your MediaNet User ID
- Not be an e-mail address.
- Not have repeating characters longer than two (e.g. aaa).
- Not have ascending characters longer than three (e.g. abcd).

The irony of it all is that you can't use special characters like *, &, and #? These characters can make our accounts more secure - why can't we use them!?

I wonder how much AT&T Wireless spends each year responding to password-reset inquiries? They've gotten quite a few from me just trying to come up with a "secure" passphrase that doesn't include special characters. Maybe at least that cost balances out the ridiculous amount of money you know they're getting via their verbal diarrhea prompts that use up your minutes when you're leaving and checking cell phone voicemails.

The next one made me laugh out loud. Apparently has a policy against secure passwords as well:

The pop-up window says "You have entered a character that is not allowed for security reasons: %"

So, folks, getting back to what I often say about Web application security (and security in general). Unless and until we fix these basic security problems why bother going down the road of encryption, fancy input filtering, IPS, and so on?

1 comment:

  1. Great observation. I can almost never access any of the sites in my own organisation, as passwords expire, and are at a ridiculous level of security for what they contain. Some people don't even bother to use them. A case sensitive 8 digit password has more than 218,300,000,000,000 combinations. Guess that without a keylogger!

    Yet I never have trouble accessing my bank account online.