I wasn't planning another post in the password security series, but I felt I just had to. If you read my previous posts you know that I recently went through and changed all my passwords (close to 100) to long complex password. For example, a new password might look like "\mFYZWLbCc:bmf^Pe/cJ"
One annoying problem however, I was shocked by how many online sites would reject these new complex passwords. It's normal for sites to reject passwords that do NOT contain mixed uppercase and lowercase as well as a number, because these passwords aren't complex enough. But a shockingly large number of sites rejected my new passwords because they were too complex, which makes absolutely no sense! For the most part the rejections fell into one of two categories.
1. Passwords were rejected because they contained symbols (oh, got to watch out for those pesky symbols). Seriously, you're rejecting my password because I used symbols like #, %, &, <, etc.? As a user I should be allowed to use any letters, numbers, or symbols I want in my password. The more possible characters to choose from the more secure my password, so they should be encouraging me to use these symbols, not preventing me.
2. Passwords were rejected because they were too long. A lot of sites limited my password to 12, 16, or 20 characters. As I previously said, the longer the better, so they should not only allow long passwords but they should encourage them. One site even limited me to 8 characters as a maximum length!
In both of these cases, these online sites need to take a lesson from Microsoft Windows. Microsoft got password security right. Windows passwords can contain ANY character, including things like high-ASCII characters. Also, the Windows password can be up to 256 characters in length. This is how online sites should be. Obviously they shouldn't force you to have such long complex passwords, but they definitely shouldn't prevent it.
There is one last thing which I just couldn't believe. One site allowed me to change my password to a long 20 character password. After setting my new password, I would always log off and then log back in, just to make sure it worked. When I tried to log back in I got an error message saying "You cannot enter a password longer than 16 characters." Huh, you just let me set a 20 character password, but you won't let me login with anything more than 16. Where is QA at this place? Clearly the right hand doesn't know what the left is doing. And what's really sad, this was a VERY large organization (multi-billion dollar), they should have one of the best systems available. But this didn't exactly inspire confidence in me.
No comments:
Post a Comment