Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
4 edits |  Sites That Don't Allow Special Characters In Passwords !?!
Many sites don't allow special characters in their passwords; they only let you use numbers and letters.
It's not just Digg, but for them it's especially unacceptable. I mean, come on....Digg? The epitome of the "new" Internet. Young, hip, and...only taking numbers and letters in their passwords? Lame.
There's just no excuse for this in 2007. Eight years ago, sure...but not now. Let's do this. Let's make a list of sites that we know of that still haven't moved out of 1999. Then we'll email their admins and demand ask that they get with the 21st century.
Here, I'll start:
•Digg.com
•Suntrust Bank
•Chase Bank
»dmiessler.com/archives/1208
What others do you know of?
--
dmiessler.com -- grep understanding knowledge |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR | Re: Big Sites That Don't Allow Complex Passwords !?!
If your just setting up complex passwords in some password program, its not helping you at all. Using some master password to as part of a password storage then your only fooling yourself when it comes to security. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to Daniel
I think you're missing the point here. These sites DON'T ALLOW special characters in their passwords. If you try and use punctuation or a "$" or anything like that, they'll balk.
They only allow letters and numbers. It's just bad form.
--
dmiessler.com -- grep understanding knowledge |
|
greenhatch
join:2005-08-14
UK!
| reply to Daniel
My ISP here in Britain doesn't permit special characters in passwords  : They are being pressured to change though  |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Daniel
Chase has that new double security that is so irritating. I now have to call them every month and get them to issue a special code to use because I flush their cookies after each visit. Chase wants me to keep the special identifier cookie they now have and since I don't their site declares my machine as having never accessed my accounts there before...hence the phone call I must make now every month. I then have to wait for the email after speaking to a representative and having him authorize a special code. Then after I get the email, I have to go to their site from the email link and put in the special authorization code and then finally get into my accounts. It is so irritating that I see little reason to use internet banking now. I would probably save more time mailing the check at the Post Office. My one concern there is that I had the USPS lose a check once for three weeks and Chase would not rescind the penalty when the check didn't reach them in time and I didn't know because I wasn't doing internet banking back then. That is why I started doing internet banking. But I find it less and less appealing. I probably will just start doing automatic electronic deduction with Chase. I never use my local banks websites as I can go in those banks. I guess I should have never gotten credit cards with banks outside my home town.
Why do you think Chase needs complex passwords when it has this new double security thing? Besides, if anyone tries to hack your password after three failed attempts Chase locks the account and even you cannot get into your own account. I had that happen not long ago. I had to call Chase and answer a bunch of questions and then they told me that someone had tried to hack the account and they were surprised that hadn't happened to me before as it was quite common but the would be hackers only get three attempts so I really don't see why you are so worried.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to Daniel
I'm not sure why you see this as a problem.
These days if I want a new web site password, I generate a random bit string of suitable length and then encode that in base64, Finally, I delete the '+' and '/' chars from the result for sites that won't allow those. Oh, yes, I do record the password in an encrypted file.
There is a problem with special characters - some of them are differently encoded depending on the national character set you are using. There is a point to avoiding all characters where there is some potential ambiguity as to how they will be encoded.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
DownTheShore
Tar and Feather Joe Lieberman
Premium
join:2003-12-02
Beautiful NJ
clubs: | reply to Daniel
To get back to Daniel's question:
Sovereign Bank |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
1 edit | reply to BlitzenZeus
said by BlitzenZeus  :If your just setting up complex passwords in some password program, its not helping you at all. Using some master password to as part of a password storage then your only fooling yourself when it comes to security. Assume an attacker has no access to your PC; he's merely attacking the web site (and it's not tricky to guess, for example, that there might be a user called 'dave'). There is no 'master password' involved. It's simply a matter of how hard it is to brute-force the password space.
If the password space is restricted to [A-Za-z0-9] then there are far fewer possible passwords than if passwords could use any characters. Thus, the password is easier to guess. Simple arithmetic.
This is just sloppy programming, about as sloppy as the idiots who insist you type credit card numbers without spaces, despite that fact that the numbers on the cards are grouped in fours for a very good reason.
I suppose the point of your comemnt may be that people who use 'complex passwords' must be keeping them in software-managed keyrings. That doesn't seem to follow at all. A few non-alphameric characters dropped into a password doesn't suddenly make it impossible to remember; even a scheme as silly as replacing an 's' with '$' adds a small amount of strength, withut making the password harder to remember.
--
Microsoft Security MVP, 2005-2007. |
|
stonecolddsl
Linux Junkie
join:2004-01-07
Sarasota, FL
·Rapid Systems, Inc.
 ·Sprint Mobile Broa..
·Verizon Online DSL
| reply to Daniel
Amex.com aka AmericanExpress.com
6 to 8 characters letters and numbers only not case sentstive.
That scares me since i have a 50k plat buisness credit not charge card with them. ( OPEN FOR BUSINESS credit card )
not to be confused with my Gold Amex Charge card . |
|
Just Basics
join:2003-06-08
Painter, VA
| reply to Daniel
Unless they have changed during the last year here are two more to add:
BB&T
NASA Credit Union
If they have changed let me know.
I might add that I am totally impressed with PayPal and eBay for implementing the VeriSign ID Protection - more financial institutions should take this service into consideration. |
|
nightdesigns
Gone missing, back soon
Premium
join:2002-05-31
AZ
 ·Cox HSI
| reply to Daniel
Not totally related to your question, but is related, how about companies that give you a username and you can't change it.
For example, my bank, a credit union, my username is my account number.
And the worst offender, AARP IRA/Mutual Funds, username is your SS#. That's scary.
--
[[Your signature here]] |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to nwrickert
said by nwrickert :I'm not sure why you see this as a problem. It's a problem because humans are better at remembering shorter passwords, and the use of more character sets allows one to add security while keeping length down.
So, ArdV4rk! is arguably a much better password than woof20slf02ld9dlw0 because the former is both sufficiently complex to thwart most guessing attacks but still short enough to remember easily.
For high security sites you probably shouldn't use memorable passwords at all, but it's not practical for most people to try and use a password manager for every single site they visit; and that's the focus of this point.
Far too many sites limit the usability vs. security tradeoff by not allowing special character sets in their passwords. It forces users to either 1) use easily guessable passwords, or 2) use longer ones that are forgotten more easily.
--
dmiessler.com -- grep understanding knowledge |
|
Cairninator
join:2007-02-14
Sedona, AZ | reply to Daniel
What is really scary is someone who would use their SS# as a login. It's really stunning how the average American can justify their stupidity. |
|
neonhomer
Honoray Mythbuster
Premium
join:2004-01-27
Edgewater, FL
clubs: | reply to Daniel
Space Coast Credit Union (in East Central Florida) doesn't allow complex passwords.
Neither does Earthlink. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to Daniel
It's a problem because humans are better at remembering shorter passwords, ... The idea of remembering passwords went out the window once web sites started wanting passwords. It is unmanageable.
I keep only a very few remembered passwords. One of those is the passphrase I need to access my encrypted password database. And once one starts storing passwords in a database, there is no longer a need to keep them short.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
haze_nme
join:2004-01-13
Tucson, AZ | reply to Daniel
You can add Wells Fargo to the list of offenders. |
|
CylonRed
Premium,MVM
join:2000-07-06
Bloom County | reply to Daniel
You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| said by CylonRed :You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength.
--
Microsoft Security MVP, 2005-2007. |
|
Catmoves
join:2005-07-05
Albuquerque, NM
|  reply to Daniel
I've had some success by writing to webmasters and suggesting that they might change the coding and allow the special characters to be used. I've also gotten form letters back from other sites saying their program doesn't allow for this. Some answer  . My answer is simple. If I really want to log in to the site, I make them send me my password. Then I change it. Every time.
--
Catmoves |
|
JTM1051
Premium,MVM
join:2000-07-08
Moorpark, CA
| reply to Daniel
said by Daniel :...What others do you know of? Unless they've changed recently SBC/AT&T Yahoo! DSL |
|
