The password rant

Every time I have to come up with a password for a Web site, I end up spending 10 minutes trying to find one that I can remember and that will conform to the rules for that site. You’d think there’d be some kind of standard. But, no … every site has its own bunch of rules.

One site requires the password to be “at least eight characters long.” Others specify a minimum length and require at least one number, one capital letter, and one special character. Others specify an absurdly short maximum length. They’ll limit the characters you can use, make you use at least two numbers, prevent you from using any word that’s in an English dictionary, or for all I know require that you type it with your toes while standing on your head. It’s maddening.

I could understand this idiocy 10 years ago. Today it’s simply unacceptable. The key to a good password is that it be long, unusual, and easy to remember. But the most important point is length. Next most important is easy to remember. And I guarantee that a password like “stupid.password.rules.suck” is easier to remember and harder to break with a brute force attack than something like “Stup1d.pw0rd”.

To make matters worse, sites often don’t tell you what the password rules are. It’ll say, “enter password.” So you enter something like “my.mom’s.maiden.name” and it will say, “Passwords must contain at least one number and one capital letter.” So then you enter “3rd.rock&Roll.act” and it will say, “Passwords may only contain the characters [list of characters that doesn't include '&']“. So then you type, “Please.save.M3.From.Stupid.Password.Rules” and it will say, “Passwords must be between 8 and 14 characters in length.”

Why can’t they tell me all of the rules up front? Do they think I’m here to play 20 passwords? This evening my hosting provider told me that my password had expired and that I need to create a new one. Fine. I’m now on my fifth attempt at creating a password that I can remember, that others won’t likely guess, and that fits the rules that they’re revealing to me one at a time.

People who create Web sites: please update your password rules. Force me to create a password that’s at least 15 characters long, and let me put whatever characters I want in it! If you really have to put a limit on the length, make it something reasonable like at least 32 characters. Limiting me to 12 (a banking site, no less) or 14 characters and making me choose from three or four different classes of characters to boot just pisses me off and makes me think that I should find some other place to take my business.

 

4 comments to The password rant

  • Hear, hear!
    I have an Apple account that I use so seldom that I can’t remember the password. So, each time I log in, I have to change it. And I can’t use a password that I can remember, because they don’t let you change the password to anything you’ve used in the past year. That is so annoying that I use the account even less frequently than I might otherwise.

  • mikeb

    I totally agree. One of the worst things about all this is that all this is that most of the time these password complexity rules are for site that I really don’t care much about. I don’t much care about the security of my account to post on cracked.com or dashdot.net – other than I don’t want someone stealing my credentials to use on other sites (and any vulnerability with that has nothing to do with the complexity of *my* password).

    So here’s what I do: I have a seven character password that contains letters and numbers and isn’t a word or “leet-word”. It’s just letters and numbers.

    On any site that I really don’t care about the security of (for example, not a financial or work related site), I add the first letter of the site’s domain as a capital letter to the end of that 7 character password. Voila – I have an 8 character password with a capital letter, lowercase letters and digits. 8 characters seems to be the sweet spot of being long enough and short enough for 99% of sites, and very few sites require a ‘special character’ (many more sites fall over if you try to use). For those sites I have to make an exception and add a dash at the beginning of the password.

    So with that scheme I have a pretty easy to remember password for most any site. Even if the password database gets leaked, I’m mostly OK because the password will be slightly different on different sites (for the most part). Even if it’s the same, I only use this password scheme on sites I really don’t care much about – it’s mostly about preventing people from using my account to spam, I guess.

    On the sites I do care about, I use completely different passwords. But that’s manageable, since there are only a few sites I really care about securing.

  • As for presenting the rules up front, no doubt about it, I’m with you on that one.

    As for the “selecting whatever characters” bit…

    If I put on my user hat, I totally agree with you.

    However, if I put on my tech support hat, I can understand some of the restrictions. After too many tickets of users failing to login due to incorrect password, we’ve eliminated some characters from the allowed list, like “1” and “l”, or “O” and “0”. Worked wonders, I can assure you.

  • I remember one of my mainframe accounts – it was annoying at the time, but it seems better and better today. When you had to change your password, it gave you a list of 20 options -and you had to choose from those. If you didn’t find one you liked, you could generate another 20. No guessing about rules, no figuring out the dupe history, etc. And the sysadmins knew that the passwords were generated to their satisfaction.