Speaking of long passwords…
On one of the financial websites I use, the password rule is 8-12 characters and no punctuation allowed. I presume that’s to facilitate touch-tone access. But their account creation page and login page does not enforce that rule.
So of course I made a rather long password with a mess of odd characters and happily logged in. But one of their confirmation screens does enforce it, so I hit the three-tries-and-you’re-locked-out limit.
Two comments: 1) that password rule is stupid and dangerous, 2) inconsistency application of rules is a sign they have poor oversight of their code, and probably have much more serious security bugs lurking.
So your WordPress password would not work then.
who’s the bank?
You can fit 33 bits of entropy in 3 RFC 1751 words :). Plenty for most uses, especially if you’re using one password per site.
The problem is not having no punctuation, it’s that if you’re using dictionary words, 12 characters is not nearly enough to stop a trivial crack program.
Of course, being locked out after three tries makes using crack programs hard, so I don’t know that’s it’s very dangerous to have only 8-12 characters.
Sam Vilain Chris Nandor – good points
Joe Barneson – not a bank. I’d rather not share publicly which financial services I use.
don’t trust their security? perhaps not a good place for your money 🙂