I came across some very laughable Web-site password requirements with some sites I’ve used recently that I wanted to share. The need for us to use strong passwords/passphrases on the Web is pretty obvious. I also believe in balancing security with reality and not going overboard.
My first example is just that: overboard. It’s AT&T Wireless. Check out their ridiculous password requirements:
Your password is case-sensitive and must:
– Be six to twenty characters in length.
– Not use characters other than letters and numbers (e.g. *, &, #, “, etc.).
– Not match your first or last name, or the combination of some or all of your first and last name.
– Not use your date of birth in any combination (e.g. MMDDYYYY)
– Not include the first four to eight digits of your wireless number.
– Not match part or all of your account number.
– Not match your MediaNet User ID
– Not be an e-mail address.
– Not have repeating characters longer than two (e.g. aaa).
– Not have ascending characters longer than three (e.g. abcd).
The irony of it all is that you can’t use special characters like *, &, and #? These characters can make our accounts more secure – why can’t we use them!?
I wonder how much AT&T Wireless spends each year responding to password-reset inquiries? They’ve gotten quite a few from me just trying to come up with a “secure” passphrase that doesn’t include special characters. Maybe at least that cost balances out the ridiculous amount of money you know they’re getting via their verbal diarrhea prompts that use up your minutes when you’re leaving and checking cell phone voicemails.
The next one made me laugh out loud. Apparently 123signup.com has a policy against secure passwords as well:
So, folks, getting back to what I often say about Web application security (and security in general). Unless and until we fix these basic security problems why bother going down the road of encryption, fancy input filtering, IPS, and so on?
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”