Search this site:


Categories:

June 2, 2006 12:03 AM

Broken: Lowe's password retrieval

LowesA reader named Max points out:

Since Lowe's changed their online credit payment system to include these requirements: "must be between 8-15 characters, must contain at least 2 numbers, and the numbers cannot be at the beginning or at the end," I forgot my new impossible to remember password.

When you click on "forgot password" it takes you to the secret question page. You enter your answer and then it tells you the user name is required. What is broken you may ask?

Well I had entered my user name on the preceding page but that information isn't passed to the secret question page and nowhere on the secret question page is there a field to enter your user name.

Also I can't reset my password without knowing the old one.

Comments:

Wow the internet just isn't what it used to be

Posted by: Manny at June 2, 2006 12:13 AM

"What is your city of birth"? Not the most secret of questions.

Posted by: gmangw at June 2, 2006 12:30 AM

Not broken -- those credit cards charge too much interest, so you are being discouraged from using them.

/me ducks

Now seriously, my hypothesis is that this is an over-reliance on cookies. I'm thinking that they wanted a cookie to carry the information forward from the previous page, and that you may have blocked some or all cookies.

Even if that is the case, it is still broken. If it wants cookies to be enabled, it should say so.

Posted by: Glenn Lasher at June 2, 2006 06:58 AM

Broken

The Secret Question page must have a secret user name field, which can't be accessed without the ancient code that's hidden in the Mona Lisa's smile

And what is with all these requirements for your password... hate that

Posted by: Leprechaun at June 2, 2006 07:00 AM

I think the most broken thing here is the excessive requirements for the password. 8-15 characters with numbers that can't be at the beginning or end is really hard to remember.

I once was using something that required punctuation in the passwords, not just numbers (like you had to add an ! or something), has anyone else come across this requirement?

Posted by: Alcas at June 2, 2006 07:46 AM

I think the most broken thing here is the excessive requirements for the password. 8-15 characters with numbers that can't be at the beginning or end is really hard to remember.

I once was using something that required punctuation in the passwords, not just numbers (like you had to add an ! or something), has anyone else come across this requirement?

Posted by: Alcas at June 2, 2006 07:46 AM

Sorry for the double post...

Posted by: Alcas at June 2, 2006 07:56 AM

Maybe Lowe's doesn't really want your business...

Posted by: Dan Kelley at June 2, 2006 08:00 AM

alcas, i once had a password that required at least one capital letter, at least one lowercase letter, at least two numbers, and at least one of the symbols on the number row. it was for my college email. because, you know, i really need to make sure no one else sees the email telling me class is cancelled.

Posted by: steve at June 2, 2006 08:19 AM

Everything you mentioned is broken except this:

Also I can't reset my password without knowing the old one.

That's standard practice -- that's what prevents someone from happening upon an unattended computer and changing a password for their later use. Even Unix and Windows require the current password to enter the new password.

Posted by: rich at June 2, 2006 10:28 AM

Yes, normally knowing the old one to change it is good security. The problem is when the old one is forgotten and you use an alternate system to get in. Most such systems change the password to something random and tell you what they changed it to but if the alternate simply lets you in you're forever stuck using the alternate.

Posted by: Loren Pechtel at June 2, 2006 10:43 AM

Even Unix and Windows require the current password to enter the new password.

--rich

Though you need to know your password to change it in Windows (XP), you can change any other user's without knowing the old one.

Posted by: Ilya at June 2, 2006 01:39 PM

... which in itself is broken.

(Sorry about the second message, I just thought of this).

Posted by: Ilya at June 2, 2006 01:40 PM

The few times I have had to use the alternate access for any software, I was asked immediately for a new password before it would permit me to log on, but the software required the old password only for changing the password while already logged on.

Posted by: Sean P at June 2, 2006 02:28 PM

I like the questions like "What is your favorite movie" or television show or singer or something that can change on a day to day basis. Yeah, I'll really recall what I entered for that 8 months later.

Posted by: The Damned Ghost Of Tookie at June 2, 2006 03:24 PM

Web systems typically *don't* require an old password because you can't just call up the sysop and get it reset if you've forgotten it. The secret question is to allow self-service in retrieving/resetting your password.

RE: burden of password complexity. It does seem pretty crazy, though if they allow you to store your credit card in their system you should be happy they make it difficult.

Posted by: Tug at June 2, 2006 04:23 PM

An easy way around the numbers rule is to type your commonly used password in 1337-speak, for example if your password was 'thisisbroken' instead you would be like '7h1515br0k3n'

Posted by: _____ at June 2, 2006 06:55 PM

Not Broken

Because Lowes is aAaARrrgggghhhh uhh

Posted by: Homer Despot at June 2, 2006 11:56 PM

if they allow you to store your credit card in their system you should be happy they make it difficult.

I think the problem is that it's too difficult for anyone to remember. I've got a pretty secure password that I use, but I stumble across sites that put various, bizarre restrictions on it. (For a while my bank required that my password be 6 characters long. No more, no less. They eventually got a clue, though.)

Someone high-up in the software world ran a piece a while ago arguing that stupid rules like these really don't help, because it just causes people to use bad passwords.

Posted by: Matt at June 5, 2006 11:32 AM

"Though you need to know your password to change it in Windows (XP), you can change any other user's without knowing the old one.

... which in itself is broken."

No it isn't.

Standard users need to know their password if they want to change it (if they're even allowed to change it). *Administrators* can change another user's password without knowing what the password is, which makes perfect sense since Administrators are the ones managing the whole system. How else would a password get reset when a user inevitably forgets it? Besides, if your administrator can't be trusted with that kind of power then you've probably got bigger problems, anyways (though randomly changing users' passwords would likely create the biggest headaches for the administrator themselves).

If you're able to change another user's password then the account you've logged in with must have administrative privileges, and if you typically run your computer that way then that's what's really broken.

Posted by: BACON at June 6, 2006 12:19 PM

*I once was using something that required punctuation in the passwords, not just numbers (like you had to add an ! or something), has anyone else come across this requirement?*

Similar to the college email accout, I had an email address as a temp for a large office supply company that required numbers, letters and symbols- at least 1 of each 7+ characters, I think.

The tech guy resolving a printer problem had the gall to look at me funny when I told my password was something like k1ngm4ker&&. Actually, he had the gall to ask my passowrd and not use his login!

Posted by: gorckat at June 6, 2006 12:24 PM

Comments on this entry are closed



Previous Posts: