Someone should come up with a standard for password requirements. I was creating an account on my car loan website today and here were the requirements for the password.
- be at least 6 characters in length
- contain both alpha (A-Z) and numeric (0-9) characters
- use at least one upper case (A) and one lower case (a) character
- not have more than 2 repeated characters (ex: "O'Tooole")
- not have more then 2 characters in a sequence (ex: "123xyz")
- not match the User ID
Plus the username had to contain a number as well. Now I am all for strong passwords but this seems like overkill. It seems every site I create an account for these days has different criteria for a strong password. I try to use only two or three passwords for every site but when a site has restrictions like above I have to create a new one. If it’s not one of the two or three I normally use I can’t remember it. Nothing is more frustrating for an end-user than not being able to login. And even if it is their fault that frustration will displace itself on the site they are having trouble logging into.
I would prefer to be allowed to use any password that I see fit with a few simple limitations:
· Can’t be the same as the user name.· Can’t contain spaces or any scripting characters.· Must be 6 characters in length.
The other problem besides pissing of your users is if users can’t remember their password, they will write it down. I would venture to say (I don’t have any statistics to back this up) most accounts that are individually compromised are because someone found the password written down somewhere. Which is more secure me using the name of my first car or having RT890%GH*!!99 taped to the front of my monitor? I prefer to encourage stronger passwords rather than enforcing them by providing a strong password indicator to the user. Like the one with the ASP.NET Ajax toolkit. http://www.asp.net/AJAX/AjaxControlToolkit/Samples/PasswordStrength/PasswordStrength.aspx
Also I alluded to this earlier but I wish sites would quit requiring special characters or numbers in the username. It is a username it should be up to you. I use the same user name/user ID for all my sites (the ones that will let me) and I don’t see anything wrong with this.
My bank uses a rotating set of secret questions in addition to a username and password if I am visiting the site from a new computer. I found this a bit intrusive at first but it does provide some extra security and when I am on my normal laptop it detects the cookie and skips the secret question.
Maybe instead of a call for password standards we should be talking about CardSpace and OpenID. How long have username and passwords been around? Maybe it is time websites and applications evolve past passwords. On a funny side note I usually write my blog posts in Word then paste them into the DNM site. After writing this and going to login to the site I couldn’t remember my password. Though we don’t require strong passwords so I have no one to blame but myself on that one.J