Monday, February 12, 2007

Complex Password More Weak?

Firstly, I'd like to point out that I am a developer, I am not a writer. That said, I apologize ahead of time if this reads like a high school student wrote it. I did my best.

At any rate, in this day in age, and with as much as we rely on the Internet for the important day-to-day aspects of our lives, we can never be too careful with our passwords. But is there a point in which password complexity can actually have an adverse affect on how secure a persons password really is? I say the answer to that question is an irrefutable, "yes".

I want to point out that I am huge on personal security. Actually, I've been told that I'm obsessive, at times. Having said that, I have come up with passwords that I'm thoroughly convinced that it would take more than a trillion monkeys pounding away at a typewriter, over 100 lifetimes to crack. They're secure, but they mean something to me, so they're easy for me to remember. For the times that I need more protection, I resort to encrypting my data with a passphrase, which is even more complex. However, even though I consider the passwords that I use to be reasonably secure, I can't help but wonder what the person/people were thinking when they came up with the list of requirements for a site I was recently signing up for. Following is a list of requirements.

  1. must be at least 7 characters long
  2. cannot contain the login id (exact or partial)
  3. must contain at least one letter, one number, and one of the following special characters:
    $&#_!@%^*()-=+~\:;<,>.?/
  4. cannot contain any repeat characters
  5. cannot contain any of:
    |'`"

Two things from this list stand out. Firstly is that the password cannot contain any part of my login name. At first, I wasn't exactly sure how strict this rule would be enforced, but I later came to find out that any part of my login ID means exactly that. Any part. For example, if my login ID contains the letter 's', my password cannot cannot have the letter 's' anywhere in it. To make matters worse, the password also cannot repeat any characters. Yep, that means that you cannot have the same character in your password more than once.

Amazed by the complexity of the requirements, I was finally able to come up with a password that would comply; however, there was no way that I was ever going to remember it, considering the passwords complexity and that it was for a site that I'll rarely visit. So, if I ever want to be able to get back into my account again, I really didn't have much choice except to either write down the password or save it in an encrypted file.

In my opinion, this is an example of people getting quite ridiculous with their password requirements. As I mentioned before, I am pretty big on personal security, which is why I opted to save my password in an encrypted file. However, for the majority of the people that I know, this password format is so complex that their passwords will end up on a Post It note stuck under their keyboard. So much for security.

It is my hope that developers will read this post and realize that there is a point that going overboard on password complexity can have an adverse affect on what their original intentions were. This, in my opinion, was obviously an example of going extremely overboard.

No comments: