"Miniumum length is a good idea, but why a maximum?"

Because some programmers don't know how to use hash functions. :(

Posted by: Kenton at November 26, 2005 12:35 AM

Password must be 6-8 characters minus 3 to the 3rd power and only on the second sunset of each calender month with a full moon in between.

Please try again.

Posted by: noname at November 26, 2005 06:19 AM

Maximum length isn't such a bad idea, but here it's only 2 characters longer than the minimum. If they made it, say, 20 it would be fine.

Posted by: A1 at November 26, 2005 08:15 AM

Well, technically, if u enter any number in your phone number, or social security number, that's a violation. And if either of them have all 9 base numbers, you're screwed.

Posted by: them at November 26, 2005 09:01 AM

One error at a time please. The more important error is obviously the top one. We can't help that your system doesn't match the passwords if they're not in your narrow limits of acceptance. Sheesh!

Posted by: Alden Bates at November 26, 2005 04:22 PM

"Cannot be all or part of your social security number or Sprint PCS Phone Number"

SSNs are 9 digits, phone numbers are 10. Of course the password can't be ALL of either.

Posted by: josh at November 26, 2005 04:44 PM

Can we also discuss the irony that overly-restrictive password rules cause people to WRITE THE PASSWORD DOWN because they can't possibly remember it, thus making the password more or less useless as a security measure?

Also, there's no reason to cap the password length at all that I can see. Even if the system doesn't use any characters after the Xth character, it can be useful as a mnemonic.

Posted by: jaed at November 26, 2005 06:27 PM

jaed, writing your password down doesn't make it unsecure unless you leave that piece of paper lying around at the mall or something.

Posted by: A1 at November 26, 2005 09:47 PM

I've run into this one before. Worse yet, I was able to actually *set* a 10-character password some three or four years ago, and the website then would not recognise the password when I went to log in. Someone at customer service was able to help me through it; it seems that the password I had entered got truncated at 8 chars and entering the first 8 chars at the login prompt gets me in to this day.

Posted by: Glenn Lasher at November 27, 2005 08:42 AM

Wow, Glenn, that would've made a great submission. Instead it is laid to waste in a pointless discussion. What a shame.

Posted by: nickd at November 27, 2005 10:02 AM

At my last employer's, their INTERNAL (i.e. my own system logon) password restrictions were 8 character minimum, mix of upper/lower characters and mix of alpha/numerical.

Pain in the ass, sure, but add that to the fact that it EXPIRED every couple of months, and you can't use repeats.

There are only two possible solutions to this:

1] increment each change in password making them unique by adding a 1,2,3... on the end (easily breakable)

2] write it down (easily findable)

- both of which defeat password security.

And that's by DESIGN of the IT department!

Posted by: DaveC426913 at November 27, 2005 10:50 AM

I lie. It was *10* character minimum.

Posted by: DaveC426913 at November 27, 2005 10:51 AM

nickd- It would have made a great submission, yes. However, this was at least 5 years ago. I only found out about thisisbroken.com about ten days ago.

Posted by: Glenn Lasher at November 27, 2005 05:13 PM

Is there a mnemonic to remember how to spell mnemonic?

Posted by: asdfaf at November 27, 2005 10:32 PM

DaveC: You must have worked for my company. There were some security scares within our company, hackers and whatnot, so they decided to beef up our defenses by adding extra security to internally-accessible resources, and upgrading the passwords requirements to almost exactly those of your previous company.

Basically you've described exactly what I do: I have a password I can remember, and I just end it with a "1", "2", "3", etc, and just increment it every time I have to change it (every 2-3 months).

The alternative is that I would need to write my password down, which I have never done but I know for a fact people do because they can't remember a new password every couple months.

Posted by: Manni at November 28, 2005 01:06 PM

If it's any consolation, Verizon Wireless also has ridiculous password requirements. For instance, they say the 6-digit (I think) password cannot contain any repeating digits, but then the temporary password they gave me was something like 110744. WTF?

I agree with the poster who said the worst password rules are the ones like these that force people to WRITE DOWN the password, which is the least secure thing to do. I have a perfectly good "four to six digit" all-numeric password that I use for such things as ATM and university PINs, but I could not use it with Verizon because it has 2 repeating digits. Sigh. How stupid.

Posted by: Kissa at November 28, 2005 01:19 PM

Maximum of eight could be to restrict file size. I took a basic Java couse a long while ago, and remember that there were diffent sizes of numbers. One of them is 8 digits long.

That saves space after a while, but not enough to justify the stupidity of the design.

That's my tentative theory.

Posted by: MinkOWar at November 28, 2005 02:34 PM

I have found that a good way to get around the nonrepeatable password retriction is to use CAPS LOCK.

Posted by: Bob at November 28, 2005 03:42 PM

OK, I call you stupid/hurried, because this is not broken. It is a simple enough instruction that anyone able to dial a phone should be able to follow. Not at all unreasonable.

Posted by: Steve at November 28, 2005 03:51 PM

steve- that comment is totally bullshit- just because some people have issues with rote memorization does not make them stupid- hurried maybe but so what- isnt the point of the whole internet thing to speed things up? yeah? yeah! its one thing to be secure- like having a deadbolt- if your door is covered with locks, when you need to get your ass out your shit outta luck- keep things simple- simple doesnt equal stupid-

Posted by: smartypants at November 28, 2005 04:15 PM

The reason it's only 8 characters is because they're too ghetto to afford another SQL database

Posted by: d at November 28, 2005 05:15 PM

"ghetto"-loll

12haHa45

Posted by: noname at November 28, 2005 07:10 PM

Here is screenshot of Charter cable website that asks for a 19 char or less password, but then prompted me when I didn't have at least 8 chars. Why didn't it tell me that up front?

(it's my own site) charter

Posted by: Eddie at November 29, 2005 09:45 AM

The reason there is an 8-character maximum is possibly due to the way they are storing the password on their servers.

Most password-based systems use a standardized hashing algorithm to "irreversibly" scramble a password. The scrambled password (a "hash" or a "digest") is the only thing that gets stored. This makes it difficult for someone to figure out the password, because the hash algorithm is designed to be difficult (impractical) to reverse.

Older Unix systems used a hash algorithm commonly referred to as "crypt". This algorithm is limited to 8 characters. Coincidence?

Today, the crypt algorithm is obsolete and easily cracked. No self-respecting Unix system uses it anymore. Far more secure cryptographic digest algorithms are used instead to produce an impractical-to-reverse hash. These new algorithms operate on significantly longer pieces of text.

Of course, I can't be positive that this is where their 8-character maximum restriction comes from, but it certainly seems to be an artificial restriction, and the number 8 is enough of a coincidence to make me suspicious of the security/cryptography qualifications of the person that produced this software/web site.

Posted by: David Nesting at December 2, 2005 06:34 PM

Well, not to be sarcastic, but the screen capture does say "Password not valid."

Therefore, it is not broken. It’s a bit unusual and perhaps inconvenient to some, but not broken.

I think this site needs a “this is inconvenient” or “this is stupid” section.

Posted by: kinda at December 2, 2005 09:41 PM

I find password rules to be one of the most frequently broken items on sites.

Mostly b/c most designers don't tell you what they have thier rules as until you've broken them (which, a good 30% of the time means refilling out a half-page or longer form to try again).

There's no standard for the rules that's being used and every single site is different.

Often there are multiple rules in play and you don't find about about each one until you violate it.

So here's the set up loop on a new site:

User: xxx

Pass: yyy

Response: User name is taken

User: xxx1

pass: yyy

Response: User name is taken

User: xxx2

pass: yyy

Response: Password must contain number

User: xxx2

pass: yyy2

Response: Password must be 6 letters or numbers long

User: xxx2

pass: yyy222

Response: Password must be no longer than 9 characters

...

Response: Password must contain non-letter or number characters

...

Response: Password must not contain a space or / or .

...

Response: Password must not contain words from the dictionary

...

Response: Password must not repeat letters or numbers

...

Response: Your password is too easy to guess.

Posted by: cheryl at December 3, 2005 04:26 PM

I find it aggravating when they have silly restrictions because it makes it easier to crack the password. Anything under 8 characters is a 'fast' crack, however, knowing the min/max length narrows the range to try. They should just give guidelines and leave it up to the user to make their own password, and leave any crackers in the dark on the restrictions so they must try every combination. Slows them down at the very least.

Posted by: Justin at December 4, 2005 01:14 AM