Author Topic: Absurb Password Policies - Rant  (Read 8628 times)

Peter

  • Guest
Absurb Password Policies - Rant
« on: October 20, 2005, 10:29:19 PM »
This is not in any way a reflection on PasswordMaker, which I like very much.
In fact I was in the process of changing all my passwords using PWM when I ran into this problem.

I found many sites that do not allow passwords that use non-alphanumeric characters (^&*()/  etc...)  The absurd thing, is that almost all the sites that require alphanumeric passwords only are financial sites!!

So yahoo will allow me to create a complex password for my email, but my bank and credit card companies will not allow such a complex password!!!  What do they care if my password contains a % or not?  It is very frustrating that the sites that probably SHOULD have more complex passwords are the very ones that do NOT allow it.

I have changed about 20-25 of my passwords so far and the vast majority of the financial sites I use only allowed alphanumeric passwords.  I'm going to have to bring this up with them.

Just needed to point out the absurdity of some companies' policies.

Thanks for the great tool, Eric.

Peter

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Absurb Password Policies - Rant
« Reply #1 on: October 21, 2005, 03:31:51 AM »
Peter,
I hope you realize you can configure PasswordMaker to use non-alphanumeric for some sites, and alphanumeric for others. Your post is very timely. I just heard about this and U.K. financial institutions must do the same thing.

Peter

  • Guest
Absurb Password Policies - Rant
« Reply #2 on: October 21, 2005, 02:52:57 PM »
Eric,
Yes I have been able to change the settings for those sites.  In fact that is part of the annoyance, that there are so many individual sites that cannot use the default character set.  

In a related issue, I was just reading an article by Jesper Johansson claiming that password length is more important than the character set.  He says a longer random password made up of only an alphanumeric characters is more resistant to cracking than a shorter random password that includes non-alphanumeric characters.  Maybe the character set isn't so important as long as you can make the length long enough.

Peter

Offline quixin

  • Hero Member
  • *****
  • Posts: 538
Absurb Password Policies - Rant
« Reply #3 on: October 21, 2005, 03:21:55 PM »
I experience the same problem with every single financial related website and its extremely annoying. I can't see the logic in restricting characters and length especially somewhere security should be of major importance.



Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Absurb Password Policies - Rant
« Reply #4 on: October 21, 2005, 04:42:18 PM »
Try using a program that forces you to have the first character be a letter along with the alphanumeric characterset.
"I'm not drunk, just sleep deprived."

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Absurb Password Policies - Rant
« Reply #5 on: October 21, 2005, 05:44:54 PM »
Quote
Try using a program that forces you to have the first character be a letter along with the alphanumeric characterset.
Use the "password prefix" for this. Set the prefix to any letter(s) and you'll be good.

Offline Miquel 'Fire' Burns

  • Administrator
  • *****
  • Posts: 1157
  • Programmer
Absurb Password Policies - Rant
« Reply #6 on: October 21, 2005, 06:08:47 PM »
Lucky for me, I don't actually have an account that would enforce that stupid thing (and it uses Oracle as a backend, which supports more than the frontend allows for a password)
"I'm not drunk, just sleep deprived."

LkonKbd

  • Guest
Absurb Password Policies - Rant
« Reply #7 on: October 22, 2005, 02:07:22 AM »
Quote
Snip snip

I found many sites that do not allow passwords that use non-alphanumeric characters (^&*()/  etc...)  The absurd thing, is that almost all the sites that require alphanumeric passwords only are financial sites!!

So yahoo will allow me to create a complex password for my email, but my bank and credit card companies will not allow such a complex password!!!  What do they care if my password contains a % or not?  It is very frustrating that the sites that probably SHOULD have more complex passwords are the very ones that do NOT allow it.

I have changed about 20-25 of my passwords so far and the vast majority of the financial sites I use only allowed alphanumeric passwords.  I'm going to have to bring this up with them.

Just needed to point out the absurdity of some companies' policies.

Thanks for the great tool, Eric.

Peter
"Peter,"

You should register or at least come back often.  I for one agree with you on the strength of the passwords required by banks.

Any other out there subscribe to SANS Organization?  They have a topic in the latest of their "SANS NewsBites Vol. 7 Num. 46" on "--Regulators Release New Guidelines for Financial Institutions' Online Authentication."  They are more interested in their bottom line instead of Customers Security and requiring strong authentication.

I sent the editor of SANS NewLetters a note about your rant letting him know of that lack in security as well.  I completely agree with you on that.  Thank you for bringing it up.

Thank you for reading this,

PasswordMaker Forums

Absurb Password Policies - Rant
« Reply #7 on: October 22, 2005, 02:07:22 AM »