Oct 13 2012

password lunacy

One of my fixed term savings accounts matured at the end of last week. This means that the paltry “bonus” interest rate which made the account ever so slightly more attractive than the pathetic rates generally available 12 months ago now disappears and I am left facing a rate so far below inflation that I have contemplated just stuffing the money under my mattress. Current rates generally on offer at the moment are pretty terrible all round, but I was certainly not going to leave the money where it was so I decided to move it to a (possibly temporary) new home.

After checking around, I found a rate just about more attractive than my mattress and so set about opening the new account on-line. Bearing in mind that this account will be operated solely on-line and may hold a significant sum of money (well, not in my case, but it could) one would expect strong authentication mechanisms. I was therefore not reassured to be greeted by a sign up mechanism that asked for the following:

a password which must:

  • be between 8 and 10 characters in length;
  • contain at least one letter and one number;
  • not use common words or names such as “password”;
  • contain no special characters i.e. £ %

(oh, and it is not case sensitive. That’s good then.)

Further, I am asked to provide:

  • a memorable date;
  • a memorable name; and
  • a memorable place.

I should note here that I initially failed the last hurdle because the place name I chose had fewer than the required 8 characters, and when I tried a replacement I found that I wasn’t allowed to use a place name with spaces in it (so, something like “Reading” or “Ross on Wye” are unacceptable to this idiot system).

I haven’t tried yet (the account is in the process of being set up and I will receive details in the post) but from experience with other similar accounts, I guess that the log-on process will ask for my password, then challenge me to enter three characters drawn from one of my memorable date/name/place. Oh, and the whole process is secured by a 128bit SSL certificate.

My friend David wrote a blog piece a while ago about stupid password rules. The ones here are just unbelievable. Why must the password be limited to 8-10 characters? Why can’t I choose a long passphrase which fits my chosen algorithm (like David, I compute passwords according to a mechanism I have chosen which suits me). Why must it only be alphanumeric? And why for pity’s sake should it be case insensitive? Are they deliberately trying to make it easy to crack?

As for the last three requirements, what proportion of the population do you think are likely to choose their birthdate, mother’s maiden name and place of birth (unless of course, they were born in Reading, or London, or York, or Glasgow, or Burton on Trent or…)

Answers on a postcard please.

Permanent link to this article: http://baldric.net/2012/10/13/password-lunacy/