Simple password rules…

This is a bit of a rant after a wasted evening.

Recently I attempted to create an account at an educational institution that shall remain unnamed.  (I am associated with four similar institutions and they all take different approaches to creating user accounts.)  This one I found particularly interesting when it came to creating passwords. The following are the rules for creating a password that were presented after my first unsuccessful attempt. I particularly like numbers 4 and 5.

    1. Must be between 6 and 8 characters long.
    2. Must not match anything in your account information, (i.e. 3 consecutive characters from login name, fullname…)
    3. Must not have more than 3 repeated characters (For example, aaaa).
    4. Must not match certain patterns (i.e. license plate number).
    5. Must not fall into any of the above categories, when reversed, pluralized, or truncated.
    6. Must not contain the characters ‘&@#{}’.
    7. Must contain at least 4 unique characters.
    8. The first 6 characters must contain at least 2 alphabetic and at least 1 digit (0 – 9) or 1 special punctuation character.

      Now is it just me, or do these sound like someone is getting carried away?  My banking password instructions are not that complex! Don’t get me wrong, I understand the need for strong passwords but this kind of thing makes me crazy.  Surely developers can find a reasonable compromise between security and usability?

      Oh yes, I never did access my account, I now await a response from tech support,  I wonder what the cumulative cost of these rules is to the institution in terms of support calls?

      Leave a Reply

      Your email address will not be published. Required fields are marked *