I have a friend who has a whole bunch of passwords written down, on a whole bunch of Post-It notes, right next to her computer. Why on earth would she do that? Well, it's not her fault. It's the fault of overzealous web sites that not only force her to have complex passwords, but have conflicting rules. She can't make up one password that she uses everywhere.I frequently recommend that people make up a rule for their passwords -- for example, name of their dog and a number, followed by something they can associate with the web site. This way they only have to remember a single, simple password but have a more complex password. This way, they might have passwords like spot3nile for Amazon, spot3junk for Ebay, spot3green for American Express, etc. But even this fails miserably because there are so many different conflicting standards. It's all part of the fake security that so many web sites have.Here are some of the password policies that I've seen recently:
- no restrictions at all
- 6 or more characters, no restrictions
- 6-8 characters, at least one non-letter, symbols are recommended
- 6-8 characters, at least 1 letter and at least 1 number, and at least 1 symbol
- 6-8 characters, at least 1 letter and at least 1 number, and at least 1 symbol
- 6-8 characters, at least 1 letter and at least 1 number, no symbols allowed
- 8-12 characters, at least 1 uppercase, 1 lowercase, 1 number, no symbols allowed
- 6-8 digits
Update: Serendipity! Just saw a New York Times Bits posting on pretty much this same topic: Falling Over Fallback Password Questions. An extra point from a comment that I wish I'd remembered -- how many sites are there that, after requiring you to use a ridiculously long and complex password, that you may well be using on other sites, simply email it to you in plain text when you go through the reset mechanism? What are they thinking?
5 comments:
I just posted a lengthy reply to Roy's password rant over on my blog.
Also, would totally have used this picture in my blog post if the author didn't reserve all rights.
@Scott: Thanks for the response.
I do recommend Scott's post about OpenID (and I'm going to post a reply over on his blog as well). Sadly, OpenID is pretty far from being a standard at this point. And, even more sad, I'll bet money that even as it gains in acceptance, web sites will just add a layer on top of OpenID that makes it clunky. That was one of the problems with Passport's adoption (one of many problems, and I know them well -- I worked very closely with the Passport team while at Microsoft and am a co-inventor of a Passport-related patent as well as another one that's pending).
Vidoop seems like a reasonable solution, but I haven't compared it with the competition.
I won't disclose my password policy but I answer the stupid questions (I find most of them either irrelevant or insulting) with an expletive phrase I can remember. Helps me vent at the same time.
I think these websites simply use modified web module. It's just a pain in the axx. I don't know why they make the username and the password so complex since you can't do anything other than pay the bill. I guess they are trying to prevent someone pays the bill for you? The most stupid website I have ever seen is American Water company, they're not just ask for complex password, they even ask for complex username, such as 9-12 characters, at least 1 uppercase, 1 number, no symbols allowed. What's the point? I understand some website might have your personal information, but a water company? I can't even see my full account number when log in.. It just doesn't make sense. I kept forgot my username, and they ask for account number to reset. Since I check the paper less option, which leave me no way to find my stupid account number.. very stupid..
I have a complex password for all my accounts. It has 16 characters, combined with numbers and symbols. It works quite well until I sign up a online account with American Water and Athena Service(trash collecting). Beacause their stupid password rule not allow symbols. Conbining the symbols is the best way to create a strong password, if the key point is protecting your account, why not allow symbols?
Sorry for whining here. The artical make me feel better now :)
Post a Comment