Kevin Beaver's Security Blog

Another ridiculous way of handling Web passwords

I use iContact’s marketing service. It’s an overall great app and reputable company but they’ve now made my list of ridiculous password requirements. I was logging in to their site today using what I consider to be a strong password and got this message:

As part of our latest application security upgrade, iContact has strengthened the criteria for account passwords. To access your account, you must first reset your password.

So I have to reset my otherwise secure password…and the darndest thing is that it wouldn’t let me re-use my old one…so what do I do? Well, I’ve never been a big fan of forced password changes. In the interest of keeping my passwords uniform so I can keep up with everything I set my password to something LESS secure than it was before.

Instead of forcing everyone to change their passwords perhaps the folks at iContact could’ve determined users who currently have weak passwords and been more targeted in their approach. Or they could’ve permitted me to re-use my previous password and run a complexity check against it and, if it passes, let me keep it. But no, just make everyone change their passwords…that’ll do the trick.

Sure, this is a private company making their own policies. I’m all for that. The reality is people not thinking things through regarding security often end up getting in the way of it.

iContact, I love you…but golly.