[crasp]

Pretty neat for the older generation, until you run into one of these sites that persist that they know how to properly do password security and require you to have at least 1 number, at least a 'special character' (of which the definition is often very vaguely described) it should contain of at least 8 characters and also be no longer than 12.

You will soon come to the conclusion that it is still easier to teach people to use a password manager for this because these schemes are nice but only get you this far before you have to revert to remember that single password again.

[spenczar5]

I don't understand how that wouldn't work within the system described in the blog post. Couldn't you just write down `anger lunar @1` and follow your personal secret munging rule, so it becomes `ngeraunarl@1` (or whatever)?

[r3bl]

The problem is that if you stumble upon three of these different requirement sites that break with your Two Step Authentication process as described in the article, you're going to forget about this rule.

[wahsd]

I don't see why you couldn't modify the concept to always include numbers and spacial characters.

For example; your "password" could be a combination of words, numbers, and characters while the "thing you know" is something like capitalizing the even or odd first character corresponding with the even or odd number corresponding to the first letter of the site or company, and combine that with the even or odd sequenced number and character in their sequential location in the password or at the end or beginning of the entered password.

I'm sure I could describe that more clearly if I tried.

[mrb]

Then you run into the problem of idiotic sites not allowing special characters, or numbers, or even uppercase (I am looking at you, rvtrader.com...)

The second main reason passwords suck (after the fact users trend to choose weak passwords) is that developers implement all sort of contradicting password rules.

[Terretta]

No, because standard UX only gives you the arbitrary rules at creation time vs login time, so when logging in you don't know which rules you had to comply with.

Can't wait till we check min entropy and otherwise don't care.

[js2]

e.g. brother-usa.com and nytimes.com have password restrictions such as this. Further, nytimes.com doesn't allow a '+' in an email address.

[coherentpony]

And Schwab. The password restrictions on Schwab are a complete and utter disgrace to best practices in security.

[mazg3]

FWIW, they lifted some of the restrictions in Aug 2015:

http://www.schwab.com/public/schwab/client_home/password_for...

Between now allowing very long passwords, the free 2 factor token (hardware symantec vip, not SMS based), and being able to lock your accounts with a voice password/passphrase that you must give the rep to discuss your account on the phone (so then just SSN/mothers maiden name/birthdate isn't enough), I think they've pulled quite far ahead lately. It's better than any of the other banks I've used.

[Note: voice password is not their voice fingerprint sillyness their reps will think you are asking about at first]

[coherentpony]

Oh that's awesome, I didn't know they'd improved. Good on them!

[jdeibele]

Can't agree with this strongly enough.

At Schwab I'm using 31 characters randomly generated by LastPass for a login name but they limit things to 8 characters for a password.

Absolutely crazy. Even if they are not having problems, why should customers like us have to worry about it?

[adharmad]

Fidelity as well

[reacweb]

Why no longer than 12 ?

[dfox]

That is valid question to ask authors of systems that do not allow passwords longer than 12 characters (or 8, which is another popular upper limit, which can have some vaguely meaningful technical reason for legacy systems).

[zo1]

Or 10, which is the maximum password length my bank requires in order to log in to my bank account.

Oh, but they have a 4-digit pin, too! That makes it oh so much more secure.

[nommm-nommm]

My old bank required an exactly 5 character password.

They had two factor authentication though, with a phone call or SMS. What happened if you forgot your password? Well you had to reset it, using only phone call/SMS, of course!

[vacri]

Banks are more willing to eat the fraud costs involved with real-world compromised PIN codes than to deal with the customer support for forgetful users.

[gambiting]

Our HR management system at work, that manages all payslips and tax returns only allows passwords between 8 and 9 characters, they have to start with a letter, they have to contain one of the following "@", "_", "-", "$", but no other special characters are allowed. It has to contain one number.

It's the most bizzare password requirement I have ever seen and I am pretty sure it's not secure. Have I mentioned it only works in IE and uses ActiveX controls?

[mikestew]

only allows passwords between 8 and 9 characters

Inclusive, I hope.

[jacobr1]

Often that is the size of the DB column and the password is stored in plaintext (or was and the size restriction remained).

[jsingleton]

This is usually the case but there are frequently short length restrictions even when it's hashed. Sometimes only on the client side too, so you can just remove the attribute from the input.

[pavel_lishin]

As I understand it, those restrictions are typically due to having an interface with some legacy system where those restrictions can't be removed.

[swang]

because a lot of companies have no technical expertise at all.

american express use to enforce insane limits on passwords back in 2010[0]. 6-8 characters for passwords, no special character and had to have 1 letter, 1 number and it wasn't case sensitive. unfortunately _I_ had an amex card.

that page i linked to also has a reply from amex support who shows little knowledge about the difference between passwords and website encryption.

they eventually started expanding that limit from 6-8 characters to 8-20 characters around 2012? 2013?

[0] http://securitywatch.pcmag.com/e-commerce/284119-amex-passwo...

[kevin_thibedeau]

What irritates me is sites that refuse to allow special characters. Looking at you CableVision.

[tehrei]

You could use a hash-based password generator and write the input seed, plus the constraints for the password. Or keep the password verbatim, it's not like the site is really secure anyway.