Stupid Password Rules
I covered passwords in enough detail in this post. You’d think most companies would have got the message by now and the only companies with stupid password rules would be those with legacy sites. You’d think.
Today T-Mobile introduced their new stupid password rules:
- Must be at least 8 characters long
- Must contain both letters and numbers
- Must contain both uppercase and lowercase letters
- Cannot contain spaces or special characters (!, @, $, %, \’)
The only rule that should be there is rule #1. I don’t have a problem with rule #2 either because it at least sets the mood for the user to use a more random password. Rule #3 is getting pushy. Rule #4 is asinine. To regurgitate what is wrong with this, a user may have a pattern that they already use for strong passwords that violates one of these rules but that is reasonably strong anyway. By creating rules that prevent the user from using their pattern, they end up using weaker passwords that are easier to remember, or they write their password down somewhere.
As an example, perhaps someone uses egu45er6 as their password and have some way of remembering this. Or maybe they use %0gU%%%%%%%%%. T-Mobile says these are illegal. The user might then substitute Ab000000 because it is easier to remember. The strongest password here is illegal, and the one the user ended up using is arguably the most vulnerable.
Chase is even worse then T-Mobile, but I don’t rank them as badly because they presumably created their rules long enough ago that they couldn’t have known better (sarcasm). Chase allows you to choose your own userid, but it is dumbfounding that they require you to include at least one number and one letter in your userid. I can’t tell you how many times I’ve had to do a password reset at Chase because I’d forgotten that my userid included a number at the end of it, unlike the userid that I use at virtually every other site.
Chase User ID Rules:
- Must be 8-32 characters long
- Must include at least one letter and one number
- Cannot be the same as your Password
- Cannot include special characters (&, %, *, etc.)
Chase Password Rules:
- Must contain 7-32 characters
- Must include at least one number and one letter
- Cannot include special characters (&, %, *, etc.)
- Cannot be the same as your User ID
- Cannot be the same as any of the last five Passwords you’ve used
As for Chase’s password rules, again rule #3 is stupid, but rule #5 is equally stupid. Rule #5 is easy to hit if you’ve had trouble remembering your password and you’ve had to reset it a few times (for example if the userid has a stupid rule that requires you include at least one letter and one number). It virtually guarantees that the password you use will be one that cannot be easily remembered. Unless. Unless you’ve developed an easy to remember password pattern at sites that use both rule #3 and #5. Maybe Ab000000, Ab111111, Ab222222?
I must pay Chase a compliment for the intelligent mechanism they have implemented for restoring your online access once you’ve lost it. This includes both email and phone options for sending you an activation code as well as the ability to find your online account by credit card account number.
I’m going to applaud Aetna here. Once upon a time they followed Chase’s password rules, but now all they require is that the password be at least 8 characters and include one number and one letter. This is a reasonable requirement. Thank you Aetna for making my access more secure!
For added fun, here are the rules when you register for the RSA Security Conference.
Passwords must be at least 9 characters in length and contain at least one lowercase letter, one uppercase letter, one number, one of the following special characters: ! # % * : ; , . ? / and not be a common dictionary word.
This does make for a strong password, but is overkill for a site of this importance. It is possible for you to have a strong password pattern that doesn’t follow RSA’s rules. I do because, oddly, common special characters such as = - + & ^ are not accepted. This again means the pattern for your easy to remember, strong password may be illegal. It is also telling that the rules contradict the stupid rules from T-Mobile and Chase.
Stupid password rules are bad enough in themselves, but what is worse is that they differ across sites and even contradict each other. This is again a problem because it makes it difficult for users to establish password patterns that are strong and easy to remember.
As I described in this post one such pattern is to pad passwords with special characters, for example to create the 12-character password uJk32+++++++. This password is very strong but would be illegal on T-Mobile, Chase or the RSA Conference site.
The only real solution for users facing so many passwords with different rule sets is for them to write their passwords down, or use browsers and browser extensions to remember passwords. If you access sites from multiple devices this means you need a solution that stores your passwords in a secured wallet in the cloud. I’m using LastPass which is free on the desktop, but costs extra if you want to use it on Android or iPhone. Touch screen devices don’t make passwords any easier because it is more difficult to enter capital letters and special characters.