Time and time again, in round-ups of the most commonly used online passwords, the same offenders routinely top the list: password, 123456, abc123, and, strangely, words like “monkey” and “shadow.” (Hint: If you think your ingenious choice of substituting one number for one letter is an unbreakable code – such as in “passw0rd” – think again.)
Despite the oft-repeated common guidelines that accompany most account login pages (make the password a minimum of eight characters containing a combination of upper- and lower-case letters, numbers, and special characters; don’t use your real name or other identifying information like your birthday or names of family members; don’t use the same password for multiple accounts; and – my personal favorite – don’t write down your password in an accessible location and label it “password”), millions of people insist on using “monkey” to check their bank accounts.
What happens when developers limit users’ ability to create an effective password?
This tendency could help to explain why some companies have decided to insist that users create stronger passwords to access personal accounts. But, as Jason Kottke discovered, a few of them have crossed into territory of the opposite extreme, and have implemented obscure requirements that actually reduce users’ ability to create an effective password. As TechRepublic’s Chad Perrin explains, if web developers “know in a vague sense something about a particular threat to security without actually understanding it, [they] might make the mistake of artificially limiting users to only very weak passwords — thus reducing effective security overall.”
On his blog, Kottke describes one site that has “the worst set of password requirements” he has ever seen. The offender? The Attorney General of Texas Child Support’s website, which includes the following instructions:
Exactly eight characters? No “sets”? No names? “This is the internet equivalent of everyone throwing their supposedly dangerous 3+ oz. liquid containers into one giant barrel where hundreds of people are queuing up for ‘security,’” Kottke says. “Makes you wonder how non-user-friendly the state’s actual child support process is.”
Other password extremists include the National Education Loan Network (no separated numbers or special characters), U.S. Citizenship and Immigration Services (no identical consecutive characters, no spaces), and a travel agent booking system called Sabre Red (no proper names and, in a holdover from the days when touch tones didn’t include the entire alphabet, no Z’s or Q’s).
“What happens when our most “secure” institutions implement lazy password policies?” asks Troy Hunt. “Unfortunately, all of this is pretty rampant practice.”
Suddenly, “abc123” doesn’t seem like such a bad combination. But I’m still not sure about the unbreakable security of “monkey.”
Have you come across a particularly bad password requirement? Let us know in the comments below, or send us a tweet.