Password should not contain any special characters, symbols or spaces
When signing up for an Mvelopes Personal trial, I selected my traditional unique super secure crazy password special for this site and was told "Please enter a valid Password (Password should not contain any special characters, symbols or spaces)."
Patrick was standing with me while I tried to sign up. After we picked our jaws up off the ground he said:
"Seriously, how about a dialog box that says 'Please ensure your password is all lowercase and only contains words from the dictionary.'"
Folks, please, use strong passwords. For me, I'm going to pass on financial institutions that encourage passwords like "password" to protect my money.
About Scott
Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.
About Newsletter
I'll be emailing their support department.
You know some one thought they were protecting themselves from SQL injection attacks.
When I tried to log back into the same site I was prompted for my password. I typed in the password that I created on the very same site. When I submitted the form I got an error that said "passwords can not start with special characters". I was screwed. I was unable to log in. Emails to tech support when unanswered. Bills to me from them went unpaid until the problem was fixed. I think it took a month - they reset my password and I had to create a new one. No special character in the first byte this time.
It's absurd that a local S&L is more concerned than a big company like Chase.
WTF?
We're sorry your having trouble picking a password. May we suggest one of the more popular ones, like 'secret', 'god', 'sex', or 'power' ?
Years ago when I first signed up for online banking (7 years maybe? maybe more?) with Bank of America, they had the following guidelines in place:
Your sign in name had to be your social security number.
Your password could be 8 characters max.
Your password could not contain special characters (letters and numbers only).
Security wasn't such a big deal back then, obviously. Of course things are much, much different now.
(Try using a £ (uk pound) in a password and see what happens if you need to log in from a PC in the USA that you do not have control over.)
I selected my traditional unique super secure crazy password special
And how do you manage to remember all those hard-to-guess über-passwords?
And it told me that I had too many characters, and that I couldn't use special characters.
*sigh*
As far as a super-secret, super-unique password that's easy to remember, I'd venture that Password Safe (or something like it) can help in that regard.
If any financial institution gave me a message like that it might be a deal breaker for me since I don't want my account stolen.
Of greater concern in my mind are those sites (and we don't know who they are) that don't even bother hashing or encrypting your passwords at all. I've seen this multiple times. I asked one guilty party about this and he told me that, "the database has a strong password." (Naturally, this strong password is stored as plain text in a configuration file). It should make you think twice about ever using the same password with multiple providers.
Another one of my pet peeves is when you've typed in your super-secret password and then the site emails it back to you unencrypted.
Password security would be a great topic for a hanselminutes show.
-Phillip
I typed in my typical long, mixed, and complex password to have it rejected.
"Passwords must be 8 characters".
You read that right. Not LESS than 8 characters, but exactly 8 characters.
This password controls my entire life at U of C. Email, grades, registration, library check outs, logging into the wireless network, updating my immunization, opting out of their health insurance.
Anyone hoping to crack a password is saved a ton of time by knowing exactly how long the password is.
Stupid.
:)
Comments are closed.
(they should really check for such stupidity before handing out that seal)