Password Grievances – Originally Published March 2014

September 7, 2014 Posted by Tiny

A Pain in the Whatchamacallit
By Tiny Ruisch

Dashlane, a password manager program, recently released a report assessing the password policies of the top 100 e-commerce sellers in the United States.  They examined 24 different criteria identified as important to online security.  Each company could receive a score between plus 100 and minus 100.

Interestingly, the most secure site was Apple.  In spot number five was Target.  Lately, they have had a few other “security” problems.  The bottom spot was graced by MLB (Major League Baseball).  Near the bottom, with a score of -40, was Amazon.  Do you know anyone who has purchased from them?

I’m not going to bore you with the details of which websites were good or bad.  If you’re interested, you can read Dashlane’s blog by clicking on the link.  If you would like to see the full report, click here.

One of the things the report highlighted for me was how widespread are some of the things I really hate about online passwords.  Why do these sites even let you create the passwords monkey, danger, 123456, 0000, etc.?  It just demonstrates that they don’t really care about security.

Another thing that makes no sense is having those little asterisks show when you are typing in your passwords.  It had some usefulness in the 1990’s, but it doesn’t in 2014.  I have noticed that a few web sites do have a “show password” button.  Want to really test what a company thinks about password security?  Click on the “I forgot my password” button.  A lot of them will go through a lot of rigamarole.  Your password is so important to them that you have to know some silly fact like the breed of your first dog or what brand of diapers you used as a child.  They then proceed to e-mail your password in plain text.

As you may or may not know, I use a password manager.  I like to generate and use big complicated passwords like |%;,0w4>\rN@aJvrh>7;,?-:T”A8rBbyxWqmk}oh.  Unfortunately, many web sites won’t accept that password.  Many places limit the number of characters in the password, some as few as twelve.  Other sites won’t allow all of the special characters.

I think that there is such a thing as too much security.  One of the sites that I want to remain really secure is my military retirement pay.  It used to be that when you typed in your password, they required that you use an on screen keyboard.  Copy and paste wasn’t allowed.  It was a really pain in the rear of my left foot to correctly enter the password.  To make it even worse, there was a time out.  If you didn’t complete your entry in 15 seconds (I think it was), you had to start over.

They have since changed their password policies.  I think that all on line banking sites should be as good.  The on screen keyboard is still there but it is optional.  You are required to change your password every 60 days.  Here is a complete set of password rules:
The Password must:
be 15 to 30 characters in length
contain at least two UPPERCASE letters (A-Z)
contain at least two lowercase letters(a-z)
contain at least two numbers (0-9)
contain at least two of the following special characters: # @ $ ^ ! * + = _ %
change at least four characters from the previous password.
The PASSWORD CANNOT:
contain spaces
be one of your last 10 previous passwords

That’s all of my thoughts for March.  My mind is empty again.

Thanks for reading.

Comments are closed.