Blog Moved ....

ScottCate.com

community

frenz

my book(s)

my products

Short Passwords

Just a quick rant, and maybe this will effect someones decision today, when designing around a password. This site is limiting my password to be between 6 and 10 characters, with no spaces, and no special characters. This is a Yahoo! / Overture site, used for Search Marketing, where I've given them my credit card information. You'd think Yahoo would know better. Then I thought, maybe they don't, and maybe others don't either.

After reading advice from G Andrew Duthie last year, I'm in the habit now of using pass phrases. These tend to be 20-30 characters in length, and very very hard to decode/guess, as well as very easy to remember. Pass Phrases are GREAT! Everyone should use them.

Sites designed with limited password lengths are simply a bad security design. Please allow for at long passwords in your database design.

Comments

AndrewSeven said:

I once had a client ask for their site to require strong passwords.

Cool I thought, I built a module that checked. Passwords had to be strong, including not being the same as you name or email, not your name plus a number, not too short, no sequences of letters like abcde or qwerty or 12345.

The client (our contact there, the marketing guy) tested, but he was unable to successfully create a password. Yes, he had instructions, he might have even been the one who dictated what "strong" meant :P

In the end I had to flip the "AllowWeakPasswords" switch to on and only stop people from using their name/email as passwords.


# May 5, 2005 2:26 PM

Scott Cate said:

If people want to store weak passwords, then I'm cool with that. I understand that (for usability) people like to use their kitty's name as a password.

But I don't see a reason to limit my password length to 10.

That makes no sense to me.
# May 5, 2005 2:39 PM

Alex Papadimoulis said:

I love the sites that let you only have a five digit numeric pin. If you're going to do that, at least make it four so I can make it like my bank code!

And Holy sweet screen capture ! What program did you use for that?
# May 5, 2005 2:52 PM

Scott Cate said:

For a dictionary attack, that seems about the easiest one. Might as well display the plain text password for everyone. Oh wait! Thank wouldn't be secure.
# May 5, 2005 2:56 PM

Adam said:

The last time I used a passphrase on my router at home I had forgotten it within about 35 seconds. Short attention spans aren't good for passphrases.
# May 5, 2005 3:02 PM

Chris Slatt said:

My BANK of all places only allows a 12 character password. If they weren't so great about everything else, I'd leave. I definitely let them know how I felt about it though.
# May 5, 2005 6:02 PM