How Strong Passwords are LESS Secure
We all know how important it is to use strong passwords and not to re-use passwords on different sites. We’re told not to use real words, not to use the names of pets or family members, not to use our birthdates, anniversaries, or Social Security numbers, and not to use common passwords like “password”, “1234″, and “qwerty”. And yet some of the most popular passwords at many sites continue to be easily remembered names, dates, or words.
Some sites have instituted draconian policies to make sure you use a secure password. Ironically, while some of these are banks, others are discussion forums for hobbyists or the comment section of a news site. I can understand why my bank wants me to use a secure password, but the comment area of The Mooselick Times?
Recently I was setting up a temporary testing account with Apple and had this exchange with their password validator:
“Passwords must be at least 6 and no more than 32 characters.”
“Passwords must be at least 8 characters.”
“Passwords must contain at least one digit.”
“Passwords cannot contain more than two consecutive identical characters.”
“Passwords must contain at least one upper case letter.”
The problem with this is a) this is a temporary account for testing In-App Purchasing, and the Apple site knows that. Why all the security? And b) Since I’m never going to remember “Testing1″, I have to write it down (and write about it in my blog). Anyone who finds my password list now knows my “secure” password.
While this is no big deal for the testing account at Apple, it’s a big deal when it’s my bank account. I have a series of mixed alpha-numeric, non-dictionary-word, very secure passwords committed to memory that I use for my truly secure accounts. But if one of those doesn’t work at a site because it doesn’t meet their rules, I have to make up another, then write it down. Once it’s written down, it’s not secure.
At Laridian, I don’t think we put any restrictions on your password. Even though almost one thousand of you use “password” as your password, we’d rather have you be able to remember it than force you to make it unguessable then have to write it down.