Speaking of long passwords…

Speaking of long passwords…

On one of the financial websites I use, the password rule is 8-12 characters and no punctuation allowed. I presume that’s to facilitate touch-tone access. But their account creation page and login page does not enforce that rule.

So of course I made a rather long password with a mess of odd characters and happily logged in. But one of their confirmation screens does enforce it, so I hit the three-tries-and-you’re-locked-out limit.

Two comments: 1) that password rule is stupid and dangerous, 2) inconsistency application of rules is a sign they have poor oversight of their code, and probably have much more serious security bugs lurking.

6 replies on “Speaking of long passwords…”

  1. The problem is not having no punctuation, it’s that if you’re using dictionary words, 12 characters is not nearly enough to stop a trivial crack program.

    Of course, being locked out after three tries makes using crack programs hard, so I don’t know that’s it’s very dangerous to have only 8-12 characters.

Comments are closed.