protocol7 archive
27 November 2007

Lousy password policy

Today I received an account for checking my account status for a credit card. On first login I had to change to generated password they sent me to something of my own choice. However, their password policy seems a bit awkward to me. Translated from Swedish:

The new password must consist of at least 6 characters (a-z and 0-9) and may not have more than two of the same characters in a row. The password must contain at least one digit, but no more than three digits in a row. It must be no longer than 44 characters.

Having these onerous rules leads to two things, both reducing security:

I don’t really understand the motivation behind them. If they has at least inhibited the common passwords people use, but no.

tags: Security