05 May 2012

a little credential standardization, please

just a small rant about sites, especially financial ones, enforcing silly rules for usernames and passwords that vary wildly from one site to the next.

some require special characters in passwords, some can't handle them! is my letters and numbers-only password really secure enough to protect my money?

i had a standard 6-character username, which in the past couple years became insufficient for banks. several financial sites required 8-character usernames.

great, now i have to remember which sites are the username exceptions, along with whatever peculiarities the password rules may have.

this week, i made logins for two more sites where i have some investments. one required a 10-character username, but couldn't handle special characters in the password. what security purpose is served with unwieldy usernames? and what kinds of backends do these sites have that the policy is to exclude special chars? injection-prone php servers? doesn't inspire a lot of confidence.


JustJoeP said...

special characters and capitalization annoy me in security logins.

pyker said...

Maybe the username dev team and the password dev team don't talk to each other. That is nutty.

I think that frequent password changes and other shenanigans are making things less secure, by making it more likely that people have to write things down to remember them.

I use SplashID to hold my passwords, but it is a bit pants.

pyker said...

I just tried to register for some forums -- not a shopping site, no credit cards or personal information.

First attempt: "error: password must be at least 8 characters in length"

Second attempt: "error: password must contain upper case characters, lower case characters, and digits"

Third attempt: worked!

And then? This security-conscious forum software emailed me my username and password in plaintext. Thanks.

zim said...

i do have appreciation for a site that informs me beforehand what it expects in a password field. this "guessing at requirements" thing is just silly.

as is plaintext, obviously.