I recently signed up to the site of one of my (many) 401K administrators. When it came time to pick a password for my account, I was disappointed to see the kind of restrictions the bank put on my choice of password:
Password requirements:
Must contain 8 – 20 characters
Must contain at least one letter and one number
Is case sensitive (e.g. “MyPassword” with an uppercase “M” and “P” is different from “mypassword” with a lowercase “m” and “p”)
Cannot contain any spaces
Cannot contain special characters (e.g. !#$%^&@,;*( )+~?<>‘\”)
Cannot contain more than 2 of the same consecutive letters or numbers (e.g. aaa or 222)
Cannot be the same as your previous 6 passwords
Cannot be the same as your Username
I understand some of these, but not allowing spaces or special characters? That significantly reduces the complexity of available passwords, making the password easier to crack. Now perhaps they get around this by giving the user x number of tried before locking her out, but why not just allow special characters?
Continue reading