As news of company breaches, web site hacks, and accounts being compromised become almost a weekly occurrence, you would expect that companies are giving you the tools to keep your accounts secure. Lately I have been very frustrated to find that there are a lot of web sites which prevent you from choosing a secure password. It is too much to ask to be able to choose a password which is over 12 characters, is case sensitive, or allowed to contain special characters? Technology continues to evolve, and password cracking techniques are only getting faster. Laziness or indifference is not an excuse. Companies need to update their systems and applications to enable increased password complexity.
My typical passwords are now between 15 – 20 characters, and contain a nice mixture of uppercase and lowercase letters, numbers, and special characters. They’re easy to remember because while they may be long, I use phrases which mean something to me. It may seem like it is annoying having to type in a longer password on your mobile phone, but I much prefer that to having to spend hours on the phone trying to recover a compromised account.
After one of the many data breaches, I began the long arduous task of changing all of my important login passwords. Going through this process you begin to discover that there are a lot of sites which actually prevent you from choosing a complex, secure password. If this was just a forum account, or something without much meaning I wouldn’t be too worried, but two of the sites were a major financial institution, and a highly used security alarm company.
Fidelity.com was the first site. Their password standard states:
- Use 6 to 12 letters and/or numbers. Letters are case sensitive.
- Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e_g., Jane212Smith)
- Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g. 12345 or 11111)
- Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)
Having an example where your name is used within your password is terrible, even if you have a few digits from your social security number or area code between them. The 12 character maximum length and not being able to use symbols were another big issue.
The second site was Alarm.com. Their password policy simply states:
(Password can be 7-15 characters and must include at least 1 letter and 1 number)
After figuring out a password which would fit in 15 characters, I set it and moved on. It was only when typing in the password with the caps lock on by accident that I realized, it wasn’t case sensitive. Great, thanks for letting me know that small detail when setting the password in the first place. Don’t you want to install door locks which you can unlock from our website? No thank you, not until I can create a secure password!
I’m planning on sending a note to both of these companies letting them know they should get with the times, and while doubtful, I’ll post any responses or updates I get from them. If you have had similar experiences with other major sites, leave a note in the comments to compile a list.