Increasingly I’m stumbling onto sites where their approach to security is to simply create longer and longer and longer lists of password rules. While I’m well versed in information security and see the need for robust passwords these increasingly complex rule sets raise concerns for me and to be blatantly honest mystify me. Are there so many brute force password attacks out there that there needs to be a huge rush to force people to create increasingly complex passwords? Aren’t all these password leaks actually the result of terrible server side password security? Is this all just silly security theater?
Yesterday I could not log into one of my accounts. I later figured out the reason was twofold, one they had a rule list that forced me to change my preferred username. Second they have a crazy over the top set of password rules that forced me to make some weird password.
Must be 8-32 characters long
Must include at least one letter and
May have special characters or punctuation
(for example: ! # $ % + / = ? @ ~)
Must be different than your previous
Must not match your User ID
Must not include more than 2 identical characters (for example: 111 or aaa)
Must not include more than 2 consecutive characters (for example: 123 or abc)
Must not use the name of the financial institution
So no big deal I’ll just reset the password. I tired about 20 different versions of the robust passwords I use, every single one of the bounced me back to the form with message stating I need to follow the password rules. I have no clue which of those rules I was violating. Finally in frustration I used a simply non-robust password and it was accepted.
These crazy rules as far I can tell are not increasing security, are treating a problem that is not really present, and are forcing people to fall back on very very bad password habits.
Before I launch into my actual problem with KiK I’m going to give you a brief history of issues with my email address and why I hate sites that use your email account as a login or any type of account tracker.
Ahh the fantastic joy of getting an early beta invite to Gmail. I’m one of the cool kids who got the name he wanted and not modified in anyway, no numbers filling in for letters, didn’t need to tag some numbers on the end of it… Man this is awesome.
That is until Gmail became ubiquitous. I’m not going to give out my actual address but let’s just say it’s very common and popular. So we will just say my address is John.Smith@gmail.com. Cool right, no it’s a nightmare and this is why. Every person with John.Smith variations at some point registers on a site and forgets to add the variation to it. So John.Smith74 forgets to add the 74 and I end up getting all his registration info. Most sights are smart, they require you to verify that are not making a mistake and force you to reply from that email address. Many sites however do not do this, so I will end up getting John.Smith74s crap forever until I go to the site change the password and remove John.Smith74s access to the site. I will also often go to register for a site or service only to find that my e-mail address has already been used. This brings you up to date.
A week ago I try to register for KiK. Hmmm I already have an account, maybe I signed up a long time ago or something. None of my passwords work, ok no big deal I’ll just reset them. Go through the reset process. Get into the account and hey look at this some Asian guy has been using this account. Again not going to give out the real info but let’s just say the username he used looks like someone just hit the keyboard so my username is basically adfskhl . No big deal how do I change the username, hmmm nothing in the menus, I bet I can do it on the website. Hmm
Well surely that’s just there to discourage dopey people who want to constantly change the account name. I’m sure once I explain my situation to them they will take pity on me. I emailed support twice now and have gotten nothing.
So because of KiKs total lack of e-mail authentication and security I know have two options. One either use a different email address which I really don’t want to or feel should be forced to. Or the second option, every single time I want to add someone on KiK I have to give them fadskhl as my username.