6

Please Note: I am not going to name the websites which have these horrible standards for their clients and users.

I have had to change my passwords for my routine update just recently in the last few months, several of my major services that I use forces weaker password standards. These weaker standards, which all of my passwords has to have, is special symbols (!@#$%^&*) and other special requirements.

A few of the major issues which came up with my password using their standards of a password is as following:

  • Must not start with a number
  • Must not have a special character
  • Must be a max of 8 to 12 characters long (depending on the service)

Why would they promote weaker passwords with these requirements?

I thought that passwords were suppose to (currently) be as long as we want, have special characters, and who cares if it starts with a number, etc, etc, etc.

Update 1

I may have forgotten details of what is going on, but I can provide some more information on the issues that I am seeing seeing here.

One of these services is my banking company and the other is my cellphone service provider. I am stuck with these two services given where I live. These services are widely used, so they should be able to afford high-quality security.

D.W.
  • 98,860
  • 33
  • 271
  • 588
Traven
  • 876
  • 1
  • 9
  • 20

3 Answers3

14

If you use the same password for several distinct sites, then you are doing something wrong. Each password shall be site-specific. Therefore, there shall be no reason why the "weaker standards" would have any impact on "all your passwords".

(Similarly, there is no rational reason for changing all your passwords on a regular basis. There is a widespread custom of frequent password renewal, but it is a "common practice", certainly not a "best practice".)

If you have site-specific passwords, then poorly designed requirements will impact that site only. Ultimately, each site maintains its own security, and their "password requirements" are part of it. If a site enforces a maximum password size of 8 characters, then this means that:

  • The site owner does not have a good grasp of security.
  • The site is most probably weak in many ways; the weird password requirements are, usually, only the tip of the iceberg.

Thus, concentrating on the password misses the point. That site's security stinks and you can do nothing about it, except isolating the troublesome site, which is done by not reusing passwords.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
6

Explanations for weak password rules

Well, those are obviously bad rules. But here are some possible explanations (or "explanations") for it:

Must not start with a number

The site owner might actually think that this is a good rule. To prevent for example 1234546 or just prepending a common phrase with '1' (e.g. 1password)

Must not have a special character

The owner might be afraid that their system (form, encryption algorithm, ...) cannot handle special characters or that these are a security risk.

Must be a max of 8 to 12 characters long (depending on the service)

Some encryption algorithms truncate the password after 8 characters. This does not mean that a password cannot be longer, but the owner might think this. They might also be afraid that a user enters a ridiculously long password, which they might fear could break their system.

Again, these are not good reasons, but reasons someone might have.

Regarding your Update: Why not change these rules?

Also, these two services that I am stuck with rules my area and where I live.

and:

With all of that money, resources, and some of the IT employees in the industry, they should be up on standards

It does not sound that they have much of an incentive to change. Losing customers seems unlikely if it is an important service that only two companies supply. Depending on the country, it's probably save to wait for a lawsuit (which might not even come) and (in case it is even won) pay some small-ish amount of money.

And changing a big system is not as easy as it sounds. If it is an old system (which it very well might be), it could be possible that it actually cannot handle special characters (especially not all utf8 characters). Why change it when it works right now? (is what they are probably thinking - if this is even a problem they are aware of).

tim
  • 29,122
  • 7
  • 96
  • 120
3

One reason for enforcing weaker passwords is that a weaker password is easier to remember for the user. When the user forgets their password, an automatic password retrieval procedure must be used. Such a procedure usually entails that a plaintext password is sent to an email account. This offers a lot of attack surface which is outside of the control of the website. The less often users forget their passwords, the less often do they need to initiate this procedure.

On the other hand, the attack scenarios where password strength matters, like brute-forcing their login form or stealing their database, are in their control. They can take measures to prevent these.

When people need to choose between the risk they can control and the risk they can't, they tend to pick the first.

Philipp
  • 49,017
  • 8
  • 127
  • 158
  • Of course, another way of looking at it is like this: I have an (IMO) 'Strong' password strategy, which I use to create a unique password for each site, and which I can easily remember. For those sites which force me to not use special characters, etc. I cannot remember my password and simply have to reset it every time I log in, which means emails and that attack surface again. – SiHa Apr 20 '16 at 11:34