password requirements
Jason 
February 9, 2009
Jason February 9, 2009Usually when I have to collect information from a lot of online sources, I end up resetting my password on half the sites I need. Usually this is because every site has different requirements, some of which negate the requirements on other sites. This prevents me from using the same password on all sites, which may be a good thing, but I feel I’m picking pretty strong passwords. What gets me is some of the ludicrous requirements, such as case-insensitivity and prohibiting vulgar words! Here are the requirements from some of the websites I use:
| Website | Length | Accepted/Required | Prohibited |
|---|---|---|---|
| Schwab | 6-8 | 1 number between 1st/last chars | Symbols |
| Citibank | 6-32 | at least 2 numbers | ‘ ” = ; : < > ( ) or vulgarity! |
| Capital One Credit | 8-15 | 1 number, A-Z, 0-9, minus and underscore only. NOT case sensitive | No spaces |
| Capital One Auto | 8-12 | letters and numbers, case sensitive | No spaces |
| Wells Fargo | 6-14 | 1 number and 1 letter | none specified |
| ADP ProBusiness | 8-14 | 1 uppercase letter, 1 lowercase letter, 1 number, 1 symbol | none specified |
The best part of this is the difference between two arms of Capital One. Someone needs to update their COBOL!
The no vulgarity rule is really weird — why should they care? No one is supposed to see, hear, or communicate the password anyway. I’ve found similar kinds of strange requirements, too. One site for some reason didn’t use the same validation upon account creation as it did for account login, so, for example, I created a 20-character password which was not accepted when later attempting to log in. On a hunch, I trimmed down the length of my password one character at a time and eventually discovered that it thought my password was the first 16 characters of my 20-character password — upon creation it was trimmed by 4 characters then stored (no warning of the trim action), and when attempting to log in with a 20-character password there was no warning that I had exceeded a maximum length. In a few other cases, I’ve discovered websites which have no ability to change passwords, which theoretically means that brute force attacks could be more successful against them. Some sites, if “asked” by entering a wrong password, tell people exactly what the password requirements are, but I think a better strategy is for website owners to accept the largest set of characters feasible and a length larger than most people will use without revealing the exact password requirements. e.g., Say you are a system owner and your system stores up to 32 characters in a password but when someone creates an account or attempts to log in you accept up to 100 or 1000 characters. If someone has created a password that’s 60 characters long, it should be accepted at creation and at login even if the system only stores and checks the first 32 characters. For if someone attempts to log in and gets the first 32 characters of a 60-character password correct, do you really need to check the remaining characters to know that’s the same person? Probably not, and so you also probably don’t need to reveal that you store only the first 32 characters. This is kind of like the problematic situation I described above, except that they should have let me in after checking the first 16 characters of my 20-character password. To see how crazy password management is where I work, see http://pharmacy.ucsf.edu/go/passwords and for password management solutions I recommend see http://pharmacy.ucsf.edu/go/managepw .