Increasingly I’m stumbling onto sites where their approach to security is to simply create longer and longer and longer lists of password rules. While I’m well versed in information security and see the need for robust passwords these increasingly complex rule sets raise concerns for me and to be blatantly honest mystify me. Are there so many brute force password attacks out there that there needs to be a huge rush to force people to create increasingly complex passwords? Aren’t all these password leaks actually the result of terrible server side password security? Is this all just silly security theater?
Yesterday I could not log into one of my accounts. I later figured out the reason was twofold, one they had a rule list that forced me to change my preferred username. Second they have a crazy over the top set of password rules that forced me to make some weird password.
Must be 8-32 characters long
Must include at least one letter and
May have special characters or punctuation
(for example: ! # $ % + / = ? @ ~)
Must be different than your previous
Must not match your User ID
Must not include more than 2 identical characters (for example: 111 or aaa)
Must not include more than 2 consecutive characters (for example: 123 or abc)
Must not use the name of the financial institution
So no big deal I’ll just reset the password. I tired about 20 different versions of the robust passwords I use, every single one of the bounced me back to the form with message stating I need to follow the password rules. I have no clue which of those rules I was violating. Finally in frustration I used a simply non-robust password and it was accepted.
These crazy rules as far I can tell are not increasing security, are treating a problem that is not really present, and are forcing people to fall back on very very bad password habits.