Why such short passwords? 1

[MasterRacker]

I just had to create a "Verified by VISA" password to use my card. Their password requirements specify at least one letter and number but the password must be 6-8 characters total. WTF! This isn't the first one of these I've run into either. I never use passwords that short. What possible reason can there be for such a short password requirement?
</rant>


Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[cmeagan656]

I don't know why the credit card companies and banks do it. They're asking for problems IMHO.

My Bank of Montreal (Canada) password for online access to my bank can only be 6 characters (upper and lower case and/or numbers). NO symbols allowed. Given that the passwords I use are typically 11 - 14 characters (upper/lower case, numerical, AND symbols) it took me a while to figure out what password I could use.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
Canadian members check out Tek-Tips in Canada for socializing, networking, and anything non-technical.

 

[Noway2]

I once mentioned in another thread that one of our IT employees used to work for a bank, BBT in this case. He said that a large number of the employees used either "password" "jesus" or the name, or some variant there of such as adding a 1 to it.

You would think that banks and other financial institutions would be on the forefront of informational security, however it often seems to be the opposite. I suspect that it is because security would be an impediment to their profits; as long as the losses are small enough or not out of THEIR pockets, then security isn't worth the expense.

 

[Glenn9999]

Often times, security requirements become an annoyance, especially when it comes to passwords and remembering them. I know a number of people that will use very short simple passwords with numbers in sequence since they are easily remembered upon the required password changes that occur (30-90 days depending on the place). In other words, the next password is always "Simple word + number" and on password change it becomes "number + 1". Not very secure, but the policy tends to be such an annoyance that people do it. I started in a place once using good passwords but they became so hard to remember on change (every 30 days) that I did the same thing after people suggested it when I expressed annoyance at it.

Unfortunately, a good balance hasn't been struck, especially in this Internet age when people can have 40-50 separate accounts with passwords that are supposed to be different on each one.

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.

 

[MasterRacker]

Glenn, I know what you mean. I've had users doing that for years. I have no problem with that because there's not much we can do to stop that type of thing. My problem is when you aren't even given the opportunity to use a stronger password if you want to.



Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[august601]

what are some examples of a stronge password? I have been using easy password because most system I used will only let you use 6-8 characters or numbers

 

[Glenn9999]

http://en.wikipedia.org/wiki/Password_strength

That should answer most all your questions about what a "weak" password is versus a "strong" password and what the difference is between the two along with examples and the concerns behind it.

It becomes even more of a concern than usual if you are securing resources like wireless networks or banking information, when you got someone that might want to do some damage.

(To that end, I tried for a bit looking for good password generator code (even the guidelines) and couldn't find any. Though, I found plenty of online generators, I really didn't find anything good otherwise. I'm thinking when I get the time I kind of want to throw something together to that effect which one can bring along for doing things like securing WPA networks and the like. (might ask more when I'm ready to try)

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.

 

[iolair]

On the flip side, I found that requiring a more complex password made our security even worse. Because the users couldn't or wouldn't commit a password to memory, they always wrote theirs down somewhere and usually left it in plain sight. So, I'm back to using 8 characters, and at least one must be a number and one must be upper case. Not secure, but....................

Iolair MacWalter
Network Engineer

 

[MasterRacker]

Iolair,
I agree. You have to balance your policies with your user base. However, it really bothers me that people design systems that can't accept a strong password from those who wish to use them.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[iolair]

Yes, if you want to use it, it should be available.

Iolair MacWalter
Network Engineer