Security Information Vulnerability Research Security Blog

Forcing your users to write down their passwords

February 20th, 2012 by , Filed under: Commentary, Corporate Security, Culture, Networking, Phishing, Social Engineering, Web

This sums up everything that is wrong with the “password policy” theme. From the t-mobile web site:

T-Mobile Password Policy

There is no way any reasonable person can choose a password that fits this policy AND can be remembered (note how they are telling you that you CANNOT use special characters. So users now have to bend according to the lowest common denominator of their bad back-end database routine and their bad password policy).

I’m sure some high-paid consultant convinced the T-MO CSO that stricter password policy is the answer to all their security problems. Reminds me of a story about an air-force security chief that claimed 25% increase in security by making mandatory password length 10 characters instead of 8, but I digress.

Yes, I know my habitat. No security executive ever got fired for making the user’s experience more difficult. All in the name of security. Except it’s both bad security and bad usability (which, incidentally, correlate more often than not, despite what lazy security ‘experts’ might let you believe.

I’ve ranted about this before.

Share
  • Sam Smmith

    Just a slip of the pen– Near the end you wrote: “making the user’s hard difficult”

    Sounds like a porno movie flop.

  • B

    Really, people can’t remember an 8 char password?

  • http://www.BeyondSecurity.com Aviram

    Of course they can. If you let them choose it. Except here, you don’t.

    They can choose a password of 8 characters, but their password might not have an uppercase character, and may not have a number and MAY have a special character (if they want it especially strong). So they need to change it.
    Except now they need to remember the 8-char password they chose for t-mobile AND they change t-mobile forced them to make.

    The main question is WHY t-mobile is doing that. Haven’t they heard of account lockouts? I can choose a 4 digit password and you still won’t be able to guess it account lockouts are in place.
    Why push the work on the customer when they should be solving the problem on their side?

  • http://www.BeyondSecurity.com Aviram

    Thanks Sam. And yes, it does bring some weird associations to mind.

  • Share







  • Categories


Security RSS Subscribe