Silly Password Rules Make A Mockery Of Online Security

Password rules from Apple iTunes

Password rules from Apple iTunes

Have you noticed a major change on the Net lately? Everything we used to read for free has disappeared behind gates. Nothing is accessible any more, unless – we create an account!

And that account comes with a username, an email address and a password.  Often times, we end up creating another new password just to cater to the ridiculous password requirements of each new site.

As we have more and more online accounts, here is a problem that companies are failing to understand and solve for customers. The difficulty of maintaining passwords for different accounts is something that cannot be understated. 

In a world where everyone is required to get an account to even read an article, it is becoming a real headache for me to remember what password was used.

It is high time companies understood the problem and allow users to pick a password they are comfortable with and might remember, without having to resort to writing it down.

How about you? Do you think you can remember the password you create to adhere to requirements on the various web sites you visit?

  • Here is how strict I believe password rules need to be:
    It needs a minimum of 6 characters.
    It should not be a word in the dictionary or any part of your name.
    It must contain at least one number and one capital letter.

Anything stricter than this, and your users will end up having to create a separate password for his account on your domain alone. That means she is unable to remember it – meaning she will end up having to write it down; or ask for help to reset the account each time.

Even worse, he will stop using the account altogether – because it is a headache to have to reset the password each time he wants to use it.

1) Here is an example from Chase + JP Morgan Job Search

The password you entered is not valid
Please note that the password must respect the following rules:
It must contain between 8 and 12 characters. Use only characters from the following set: ! # $ % & ( ) * + , – . / 0123456789 : ; < = > ? @ ABCDEFGHIJKLMNOPQRSTUVWXYZ [ ] _ ` abcdefghijklmnopqrstuvwxyz { | } ~
It must contain at least 4 lowercase letter(s) (abcdefghijklmnopqrstuvwxyz).
It must contain at least 1 capital letter(s) (ABCDEFGHIJKLMNOPQRSTUVWXYZ).
It must contain at least 2 numeric character(s) (0123456789).
It must not contain more than 2 identical consecutive characters (AAA, iiii, $$$$$ …).
It must not contain your user name.
It must not contain your email address.
It must not contain your first name.
It must not contain your last name.

2) Here is another one from Apple iTunes.

Password rules from Apple iTunes

Password rules from Apple iTunes

3) Citibank.
Citibank Password rules

If you come across any such horrid, senseless requirements mandated by the fantasies of a security nerd, please send those rules to me. I’ll add them to this blog – for the sake of drumming some sense into these people who think they are creative genuises; but are, in reality; punishing their customers.

Leave a Reply

Your email address will not be published. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>