Overly Secure?

I had to login to an internal corporate web site a while back. Upon accessing the site, I found that I had to create a login account before I could get to the features that I needed. No problem, I foolishly thought. Thirty minutes later, I was still trying to craft a password that would be acceptable to the system.

Alas, the web site had apparently been set up with extremely stringent password requirements. Even better, the system didn't tell you about any of the requirements until you offended it by not meeting one of them (a most satisfactory user experience, by the way).

After a certain amount of experimentation (and cursing), I was able to figure out what the rules were, so here they are for your edification, amusement and horror:

The password had to have:

  • A number.
  • An uppercase character.
  • A lowercase character.
  • A special character (some sort of puncuation, like an exclamation mark).
  • Must contain at least 8 - 12 characters.

Furthermore, the password had to have:

  • No repeating characters.
  • No incremented numbers.
  • No decremented numbers.
  • No alphabetic strings, i.e. - no recognizable words.

As an exercise, try to come up with a password that meets all of these requirements ... and that you can remember without writing down. Now, imagine that you had to come up with a workable password without knowing all of the rules in advance.


David Keener By dkeener on Friday, March 02, 2012 at 01:02 PM EST

Every time somebody talks about password issues, I pull this story out and whoever I'm talking to ends up as appalled as I was.

Leave a Comment

Comments are moderated and will not appear on the site until reviewed.

(not displayed)