Re: Big Sites That Don't Allow Complex Passwords !?! in Security http://www.dslreports.com/forum/r18016064 en Wed, 02 Dec 2009 15:51:47 EDT Wed, 02 Dec 2009 15:51:47 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18044418 Doctor Four : What I can't believe is that there banking sites out
there that won't let you use special characters in
passwords. That is just plain dumb and short sighted.

On the opposite side of the coin are sites that require
1 or more special characters, capital letters and so on
in their passwords. Paypal does.
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)]]> http://www.dslreports.com/forum/remark,18044418 Thu, 22 Mar 2007 11:12:22 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18044170 timcuth : What I hate is sites that ask you to create a new password, but don't give any hint whatsoever as to what characters you may use or how long the password can be. Lots of them do this. :mad:

Tim
--
The shortest sentence is, "I am". The longest is, "I do".
~ Project Hope ~ ]]> http://www.dslreports.com/forum/remark,18044170 Thu, 22 Mar 2007 10:13:35 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18035435 nwrickert :
I consider social sites like BBR and others to deserve complex passwords.
You would have to change a lot more than the password characters.

Practically speaking, login to BBR is done by persistent cookie transmitted as clear text.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10]]> http://www.dslreports.com/forum/remark,18035435 Tue, 20 Mar 2007 18:49:52 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18035278 EGeezer : Merrill Lynch also limits length as well as limiting to characters and numbers only. That's why I have not authorized any online transactions with them, and change the login frequently. Since the folks there know me personally, that's how I do business. Same with Chase and a few others.

A couple of observations -
***********
I consider social sites like BBR and others to deserve complex passwords. Why?

Because hacking someone's account can provide a miscreant with a "trusted" ID, and can be used to gain trust and possible information of other members, as well as profile information that's marked private. While that may not hurt me a great deal, it could hurt others if my ID is used maliciously to gain trust from other members. A collateral result would be that my name could be damaged in the eyes of my fellow community members.

Also, if the account were used for illegal purposes like uploading CP or sharing copyrighted information, I could become a target of an investigation. I don't need that hassle.

************

Some of the authorization systems used by these institutions were - or are - also used for touch tone phone logins. they save money by using pieces of the phone system for internet authorization.

************

Very few sites allow changing a user ID, so that in many cases leaves only one changeable factor - the password. If an account is compromised, the hacker will still have the user ID. That should be something to look at when upgrading security.

************

Lastly, my passwords are either memorized or stored offline where a burglar would be unlikely to find them. Although we live in a good neighborhood and have no untrustworthy residents or guests, I consider some information worthy of securing against casual observation or discovery. That's just part of my risk analysis and resulting policies.

************

HTH

EG
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy...]]> http://www.dslreports.com/forum/remark,18035278 Tue, 20 Mar 2007 18:20:59 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18035114 jbob : FWIW I have 2 Chase accounts. I DO use special characters in my password so not sure if it is true about Chase being listed. I will say that both my accounts were initially with other business and was bought out/sold/transferred to Chase and my online access simply transferred over. Even with Chases new security procedures my password(complex) still worked/works. ]]> http://www.dslreports.com/forum/remark,18035114 Tue, 20 Mar 2007 17:47:53 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18034673 Maxo : I agree with you. Sites that don't allow special characters really urk me. I could go ahead and list some internal apps here within my company but that would be pointless. I can't think of any sites off hand that don't allow special characters.]]> http://www.dslreports.com/forum/remark,18034673 Tue, 20 Mar 2007 16:15:33 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18026934 Daniel :
said by Mele20 See Profile :

I just took issue with the "sky is falling" attitude of the OP.
You see what you want to see. All I did was bring the issue up; I didn't ever say it was life or death, or use any other language that would indicate I thought there was a need for panic. If that's what you saw then that's on you. All I did was bring it up. I think your interpretation of "sky is falling" comes from you not getting the point of the post in the first place. Meaning, if anyone even mentions something that in your mind "doesn't matter", then by virtue of it even being brought up it's automatically considered overreacting.
said by Mele20 See Profile :

I also disagree with the OP that everyone except myself memorizes all 200-300 passwords that they have and may change (especially banking ones) every three months.
That would have been a much better point had I ever said that. But since I didn't, it's not.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18026934 Mon, 19 Mar 2007 10:19:44 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18025646 Bubba17 : I completely agree with your position for password character-set inclusion. Long ago, I adopted 'program-controlled' management for security vital sites, and more. At this moment, away from my machine, I'm incapable of accessing 95% of the sites of import to me. The 5% committed to memory share a common core, with subtle variations, and character-set allowance punches them to a higher security level.
--
HN7000s|H1(127W)-1110mhz|.98m-2w|Pro+|3.0ghz dual-core|3gig-ram|BFG7800GT-OC-256MB|XP-Pro w/SP2
"Fast is fine, but accuracy is everything." -- Wyatt Earp]]> http://www.dslreports.com/forum/remark,18025646 Mon, 19 Mar 2007 00:52:34 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18025332 Just Basics : This site does allow special characters.

I try to use special characters in all of my passwords first - they are rejected about 50% of the time.]]> http://www.dslreports.com/forum/remark,18025332 Sun, 18 Mar 2007 23:24:46 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18025200 Mele20 : I believe the OP started out complaining that Digg was bad because they don't allow for a special character in their login and the OP said there were a number of big sites like that. Then he sort of switched to banking sites only...kind of two different topics as what banks do with passwords is not at all like regular sites where it doesn't matter that much if your password gets grabbed. We can grab each other's over at bugzilla and have fun confusing the mofo folk...you'd get more embarassed than I probably because I would likely post not too good bugs under your id and not write them up as well as you would for bugs you posted under mine. Or we could have fun adding each other's email address to a ton of very active bugs and give 10 votes to some dumb bugs, etc. :D But what real harm would be done by such pranks?

I am not objecting per say to allowing this. I am objecting to the OP's attitude that this is some huge deal and we all need to immediately get behind pushing "derelict" sites to do this as of yesterday. No one has answered my question of whether or not this site, Wilders Security, and Castlecops allow special characters? If they don't are they derelict and have to be pressured immediately? I just took issue with the "sky is falling" attitude of the OP. I also disagree with the OP that everyone except myself memorizes all 200-300 passwords that they have and may change (especially banking ones) every three months.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18025200 Sun, 18 Mar 2007 22:59:24 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18025076 bluezanetti :
said by dave See Profile :

If it's optional, some people will not take avantage of the ability. They are no worse off. Meanwhile, some people are better off. Why is it worth arguing against this?
It's not.

Blue]]> http://www.dslreports.com/forum/remark,18025076 Sun, 18 Mar 2007 22:35:50 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18024851 dave : Hold on, just let me tell our trained IT guy that he's an idiot for requiring at least one non-alphanumeric character in all passwords.

I'll get back to you with his response...

Slightly more seriously, it seems quite easy to understand. Allowing more characters gives a greater range of password possibilities, at close to zero cost. Why is it worth arguing against this?

If it's optional, some people will not take avantage of the ability. They are no worse off. Meanwhile, some people are better off. Why is it worth arguing against this?

--
Microsoft Security MVP, 2005-2007.]]> http://www.dslreports.com/forum/remark,18024851 Sun, 18 Mar 2007 21:59:13 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18024726 Mele20 :
said by Daniel See Profile :

How about when the username is bsmith, and the password is bsmith1? We're not talking about major, complex attacks here. And we're also not just talking about banks. Banks are just one type of site that has have this issue.
Sure, but then the problem is the user's ignorance/stupidity/laziness. Do you think that the user that fits this profile is going to bother to add a special character to his user name and/or password when he could not be bothered in the first place to use a more difficult user name and password? Who would use their real name in their handle or their password? That doesn't make the slightest bit of sense and even when I was brand new to computers and had no idea this site (security forum) existed and I couldn't understand McAfee 4.2 that came on my computer (bloodhound, heuristics), I certainly knew to never use my real name anywhere on the internet especially not at a banking site when logging in or in Hotmail. The only thing I was taught really before I got a computer was to hide my real identity.

I think what you are really asking for is that computer dummies be forced to get educated about security.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18024726 Sun, 18 Mar 2007 21:34:23 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18024583 Daniel :
said by Mele20 See Profile :

I still don't get why this is an important issue. Explain to me how these dictionary attacks are going to first figure out my USER NAME and then figure out my PASSWORD AND THEN SUCCESSFULLY COMBINE THE CORRECT USER NAME AND PASSWORD?
How about when the username is bsmith, and the password is bsmith1? We're not talking about major, complex attacks here. And we're also not just talking about banks. Banks are just one type of site that has have this issue.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18024583 Sun, 18 Mar 2007 21:04:55 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18024575 Daniel :
said by nwrickert See Profile :

I have trouble getting excited that a bank won't allow special characters is a password, when that same bank uses only a 4-digit PIN to protect ATM transactions.
It's not a 4-digit pin. That's the second factor. The first factor is having your card in the first place. So you have to both have the card and have the PIN. That's not weak security, and even if it were it wouldn't be a reason to accept weak security in another area.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18024575 Sun, 18 Mar 2007 21:02:17 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18024398 nwrickert : I have trouble getting excited that a bank won't allow special characters is a password, when that same bank uses only a 4-digit PIN to protect ATM transactions.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10]]> http://www.dslreports.com/forum/remark,18024398 Sun, 18 Mar 2007 20:28:04 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18024380 sheiny :
said by Blackbird See Profile :

Well... if the "alarm goes off", what does the institution do then - especially if these attacks are a continual real-time phenomenon? if you establish too restrictive a logon policy (eg: 3 failed logons and the account gets blocked), you set everyone's accounts up for the mother of all DOS attacks.
For SSL connections you have an IP address you can block. Not trying to minimise the DOS potential but even failing after a few thousand failed logon attempts would negate the effectiveness of brute force attacks. If an attacker can use offline techniques to attack online sites then a majority of passwords will likely fail (50-60 percent).
"Choosing Secure Passwords"
»www.schneier.com/blog/archives/2···ure.html]]> http://www.dslreports.com/forum/remark,18024380 Sun, 18 Mar 2007 20:24:14 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18024359 Mele20 : I still don't get why this is an important issue. Explain to me how these dictionary attacks are going to first figure out my USER NAME and then figure out my PASSWORD AND THEN SUCCESSFULLY COMBINE THE CORRECT USER NAME AND PASSWORD? Your argument reminds me of the recent thread here yelling the sky was falling in for Linksy router users because the default password is administrator and some folks never bother to change it although Linksy very clearly states that it needs to be changed immediately upon setting up the router. I changed mine but even if I had not, my user name is not easy to figure out by dictionary attack so I thought the whole thread was overblown. There were complaints I think I recall about the length and what is allowed in the Linksy user name and password and I couldn't see what the problem was as no one could demonstrate that it would be easy "low hanging fruit" to use a dictionary attack on a Linksy router to determine first the user name and second the password and then match them up.

So, do you have any evidence of how fast and easily this can done? Plus, you have continued to side step the fact that banks will lock the account so fast that your head will swirl if you start putting in the wrong user name and/or password. Three simple typos and you, yourself, are locked out. I can't tell you how many times I have gotten locked out of my local bank account because the user name is required to be in all caps and the password must be in mixed case. I got that wrong so many times especially since I can't see what I am typing for the password. I can't call the bank and get reinstated immediately either. There is a three day waitng period unless that has been changed recently. This bank won many awards back in the late 90's early 2000's as being the most secure, best banking site on the internet.

Besides my home bank that I no longer access on the internet as I have no loans or credit cards or savings account with them so I can't do any banking other than looking at my checking account statement and I write only two checks a month so I have little need to look at it before it comes in the mail, I use only two banking sites both of which have excellent protection already. In fact, Chase drives me nuts as does CapitalOne with logging me out not just within 13 minutes which is done even if you are actively using the site at that moment but which logs you out if there is hesitation, stumbling about, all sorts of things get you logged out. There are many protections that we are not really aware of at banking sites.

Again, this is barking up the wrong tree. The banks and business sites where purchases are made need first of all to ALWAYS use a secure login in page. I don't see you complaining about that problem. What difference will it make if your password has special characters if you aren't really on the site's secure page when you login?

I suppose you already know the answer to the dslreports login? Our site must allow special characters? Wilders and Castlecops also do this? As I said, I have no idea as I have not changed my password at any of these since I joined 6 years ago here and 5 years ago for the other two sites. You have me curious as if this is so important then I'm sure all three sites allow the special characters and somewhere on these three sites there must be a warning that I have missed telling me to change my password to include special charcters...right? Where is the the warning for this site?
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18024359 Sun, 18 Mar 2007 20:21:38 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18024352 SnowyOne : Here's my banks PW policy (Bank of Hawaii)

"Note: Your Password must be between 6-32 characters in length. It must contain at least 1 alpha and 1 numeric and is case sensitive. Your Password and User ID cannot be the same."

It's a flexible policy that's soon to be backed up with a unique to the account picture & phrase authentication (verification?) scheme. What I think would be a good practice is if these PW protected areas set a minimum PW strength & ran them through an automated password strength checker, rejecting the PW's that don't meet the threshold.]]> http://www.dslreports.com/forum/remark,18024352 Sun, 18 Mar 2007 20:20:28 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18024289 Blackbird :
said by sheiny See Profile :

Are we focusing on the wrong problem? Attempts to guess even simple alphanumeric passwords by brute force should trip off alarms at banking sites long before they have a chance to succeed...
Well... if the "alarm goes off", what does the institution do then - especially if these attacks are a continual real-time phenomenon? if you establish too restrictive a logon policy (eg: 3 failed logons and the account gets blocked), you set everyone's accounts up for the mother of all DOS attacks. There are various intermediate schemes I've seen... eg: 3 failed attempts and the account becomes blocked from further access attempts for 5 minutes, or after 3 failed attempts the site access reverts to asking a personal info question before accepting further attempts for some defined time period. Whether some of these concepts would have major effect on a sophisticated, patient brute force dictionary-attack scheme (other than to slow it down) seems debateable.
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,18024289 Sun, 18 Mar 2007 20:07:33 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18023901 sheiny : Are we focusing on the wrong problem? Attempts to guess even simple alphanumeric passwords by brute force should trip off alarms at banking sites long before they have a chance to succeed.
Added: 8 characters, alphanumeric, not case sensitive = 2,821,109,907,456 possibilities]]> http://www.dslreports.com/forum/remark,18023901 Sun, 18 Mar 2007 18:57:19 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18023858 bluezanetti :
said by Daniel See Profile :

These attacks are designed for low-hanging fruit. And anything you can do to take your password out of that category (while still keeping it usable) is an improvement. Good example.
Actually, that statement should be generalized for the benefit of anyone who implements extremes in multifaceted security measures... anything aside from a preselected and purposely directed attack is aiming at low hanging fruit. That notion is often lost site of here and elsewhere.

Blue]]> http://www.dslreports.com/forum/remark,18023858 Sun, 18 Mar 2007 18:49:22 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18023643 dave : FWIW, anyone know if these sites also have length limitations?

They may not be overt; I just noticed that bugzilla (a defect-tracking system) allows any password length, but doesn't actually use more than 8 characters. I noticed this when I made a typo in the 9th...

(I'm not overly concerned by bugzilla. The only risk here is a reputation attack - you can file bugs that look like they come from me.)
--
Microsoft Security MVP, 2005-2007.]]> http://www.dslreports.com/forum/remark,18023643 Sun, 18 Mar 2007 18:04:13 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18023569 Daniel :
said by Blackbird See Profile :

What it proves to me is that dictionary-attack addressing engines simply do not attack with near the success if one simply incorporates one non-alphanumeric symbol.
Exactly. These attacks are designed for low-hanging fruit. And anything you can do to take your password out of that category (while still keeping it usable) is an improvement. Good example.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18023569 Sun, 18 Mar 2007 17:48:42 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18023558 Daniel :
said by nwrickert See Profile :

Do you really think users will change these habits just because their bank happens to allow special characters?
No, it's not a matter of everyone who has accounts with them going back overnight and making their passwords more secure as soon as the change is made. That's unrealistic. It's about users having the option to use better passwords when they create a new account or change their password there.

Contrary to what's been put forth a few times in this thread, there are many users who are both 1) advanced enough to want stronger/more usable passwords, and 2) reluctant (for whatever reason) to move to an encrypted database paradigm.

Those users are legion, and they will benefit from this change over time. Again, that's why the majority of sites on the Internet have already upgraded.

Also, there's another angle here that hasn't been explored. Why shouldn't they add the option? What's the downside? In other words, if this can help just one person (and it will obviously help thousands), wouldn't it be worth the tradeoff? I think so, given the ease in which this can be done programatically. Really, it's just a matter of laziness on the part of these various organizations. And that's the point of this -- getting them to overcome said laziness.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18023558 Sun, 18 Mar 2007 17:46:32 EDT Re: Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18023546 Blackbird : FWIW, about 7 years ago, I set up two Hotmail accounts within a two-week period as shown below:
xyzabc_de@hotmail.com
xyzabcde@hotmail.com
The actual letters were different than shown, of course, and were ordered approximately as noted. In the 7 subsequent years, the account with the underscore has never received a single spam message. The account without the underscore (_) received spam within 2 days of creation, and has continued to average about 3 spams a day. Both accounts have been used only for "private" eMail messages to personal friends.

What it proves to me is that dictionary-attack addressing engines simply do not attack with near the success if one simply incorporates one non-alphanumeric symbol. And I have no reason to believe it would be any different for using such an engine to attack a password. For a financial institution to not incorporate and require at least a few such symbols in passwords smacks of irresponsibility.

edit: clarification 1st para
--
If God wanted us to work with electrons, He'd make them big enough to see...]]> http://www.dslreports.com/forum/remark,18023546 Sun, 18 Mar 2007 17:44:05 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18022414 nwrickert :
You don't seem to understand how the majority of users employ passwords on the Internet. They are using dozens of sites, all over the place -- with short passwords that tend to be very weak.
Do you really think users will change these habits just because their bank happens to allow special characters?
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10]]> http://www.dslreports.com/forum/remark,18022414 Sun, 18 Mar 2007 13:57:09 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18021862 Daniel :
said by CylonRed See Profile :

I must have walked away form the PC while int he thread and not refreshed when I got back and missed the second post on his clarification.... WOuld have behooved him to also change the subject of the thread as well.
A good point. I tried to use the original title but there's a length restriction on this site. :( I changed the title on the thread, though.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18021862 Sun, 18 Mar 2007 11:59:55 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18021852 Daniel :
said by Mele20 See Profile :

Gee, how was I, or anyone reading this thread, supposed to know that you want stronger passwords for dummies and those of us here don't need that but we are supposed to respond in your thread as though we are dummies and we need them? Do I have that right?
No, you don't have it right. Most everyone else does, but for some reason you have an attitude about this issue. You don't seem to understand how the majority of users employ passwords on the Internet. They are using dozens of sites, all over the place -- with short passwords that tend to be very weak. They use them for e-bay, social sites, forums, and yes -- banks. My point is simply that for those who would like to add some complexity to their passwords while maintaining a manageable length, the addition of another character set is a good way to do this.

Note that this is precisely the reason MOST sites have done exactly this. I'm not promoting some outlandish idea that nobody's heard of; the majority of web presences have already changed their systems to allow special characters. The whole point of this thread is to identify some of those that haven't -- especially the ones that are important in terms of finances or identity.

Look, I'm sorry if I somehow offended, but I'm not going to argue with you about this when it's clear that everyone else sees the problem but you.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18021852 Sun, 18 Mar 2007 11:57:52 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18021528 CylonRed : I must have walked away form the PC while int he thread and not refreshed when I got back and missed the second post on his clarification.... WOuld have behooved him to also change the subject of the thread as well.]]> http://www.dslreports.com/forum/remark,18021528 Sun, 18 Mar 2007 10:40:25 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18020814 Mele20 : Gee, how was I, or anyone reading this thread, supposed to know that you want stronger passwords for dummies and those of us here don't need that but we are supposed to respond in your thread as though we are dummies and we need them? Do I have that right?

Quite frankly, who cares if your password gets swiped at a silly site like Digg? That is such a dumb site. I find it boring and I don't have a password there but if I did I wouldn't really care if someone swiped it. Digg was your first example of a site that desperately needs complex passwords. Now, if someone swiped my password here, or at Wilders, that would irritate me but again it wouldn't be any big disaster. I don't use a fancy password here or at Wilders. Plus, I have had the same one forever at both sites. Same for Castlecops. Does this site and the other two I mentioned allow for special characters in the password? I dunno. It has never occured to me to find out as I don't think it matters. I even have an email account here. Guess what the password is: same as for my login. I still have the same password though that I have had for ages here.

I don't see the extreme concern about passwords for anywhere except banking and other sites where financial matters are handled. I am much more concerned with banks, and sites where purchases are made, not making it crystal clear that one is behind "https" when one logs in or enters any sensitive personal information and to me a bank that is too stingy to provide https login on the main page or transfer the person to the secure login page (without the person having to resort to tricks such as deliberately putting in the wrong password) is much more of a problem than whether or not the password can have special characters. In fact, I think the more important issue is that all banks should be required to do what Bank of Hawaii does: put their entire site behind encryption.

The only sites where a password matters a lot are banking and ones where you do other business transactions.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18020814 Sun, 18 Mar 2007 04:08:24 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18020783 sivran : I didn't see Verizon mentioned. I can't verify verizon.com, but I know verizon.net allows only alphanumeric.
"Important" sites that only take alphanumeric seriously annoy me now. I like to use SFSP style passwords whenever possible, and especially on any site where sensitive information might be stored. If I use such a password I rarely need to bother storing it in password safe.

A quick look through my password safe ought to turn up some others..

bestbuy.com (hey, my aunt gave me a $75 gift card... I wouldn't normally shop there!)

cafepress.com (this site has other security issues, as well..)
equifax.com
progressive.com
taxcut.com (alphanumeric, plus underscore)

When even small shops and relative no-names like Megagear (online comic Megatokyo's store) and Surplus Computers can allow punctuation at the very least, it's rather silly that places like Best Buy and Equifax(!) don't or can't!
--
Think outside the fox...Seamonkey]]> http://www.dslreports.com/forum/remark,18020783 Sun, 18 Mar 2007 03:46:22 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18019584 Daniel :
said by Mele20 See Profile :

I have approximately 200 passwords at the moment. I don't have a photographic memory. Please explain how you think I should be able to memorize all those or why I should?
Please explain why you think you, or any other knowledgeable regular on this site, represent an average Internet user. Once you've failed to do so you'll see my point.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18019584 Sat, 17 Mar 2007 21:27:01 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18019527 Mele20 : I have approximately 200 passwords at the moment. I don't have a photographic memory. Please explain how you think I should be able to memorize all those or why I should? I see absolutely no need to memorize them. I access them in the file I keep them in when I need them. If you have people spying in your personal papers, well, I think you should address that situation. Perhaps a special lock on your file cabinet? Microsoft's personal folder, etc?
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18019527 Sat, 17 Mar 2007 21:12:13 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18019506 Daniel :
said by Mele20 See Profile :

No, his basic assumption is wrong. He assumes everyone memorizes their passwords and thus needs shorter ones but with special characters so they can memorize them. Most folks don't memorize passwords and banks know this. Plus, adding special characters makes the password harder to memorize if some folks do that...young folks that is of course. What he should be asking is for the banks to institute better security.
I think you're wrong on both accounts, actually. 1) Most people DO remember their passwords, and 2) I AM asking for banks to institute better security. That's the whole point of the thread.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18019506 Sat, 17 Mar 2007 21:07:52 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18019494 Daniel :
said by CylonRed See Profile :

said by dave See Profile :

said by CylonRed See Profile :

You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed.
Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength.
No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong.
My mistake, but I thought it was pretty clear that I meant they didn't allow special characters. I mean, what else COULD I have meant? Have you ever seen a site come back and say, "sorry, you can use all those characters, but just not in that order." ???

Seriously, let's talk about the issue instead of picking nits over semantics.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18019494 Sat, 17 Mar 2007 21:04:33 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18019230 dave :
said by CylonRed See Profile :

said by dave See Profile :
Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength.
No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong.
said by Daniel See Profile :

It's a problem because humans are better at remembering shorter passwords, and the use of more character sets allows one to add security while keeping length down.
So, if you're going to argue that the later clarification isn't part of his point, fine.

Or if you're going to argue about what should be inferred from the word "complex", fine.

Just do it without me, please.
--
Microsoft Security MVP, 2005-2007.]]> http://www.dslreports.com/forum/remark,18019230 Sat, 17 Mar 2007 19:59:18 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18019218 Mele20 :
said by CylonRed See Profile :

said by dave See Profile :

said by CylonRed See Profile :

You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed.
Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength.
No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong.
No, his basic assumption is wrong. He assumes everyone memorizes their passwords and thus needs shorter ones but with special characters so they can memorize them. Most folks don't memorize passwords and banks know this. Plus, adding special characters makes the password harder to memorize if some folks do that...young folks that is of course. What he should be asking is for the banks to institute better security.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18019218 Sat, 17 Mar 2007 19:55:17 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18019115 CylonRed :
said by dave See Profile :

said by CylonRed See Profile :

You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed.
Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength.
No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong.
--
Brian

"Some people are like Slinkies...
Not really good for anything......
But they still bring a smile to your face when you push them down a flight of stairs."]]> http://www.dslreports.com/forum/remark,18019115 Sat, 17 Mar 2007 19:32:56 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18019065 major marco :
said by haze_nme See Profile :

You can add Wells Fargo to the list of offenders.
Which is why if you're THAT concerned, you should really be changing your password every month. But hey, let's not quibble with passwords.

In reality, majority of ID theft/hacking/site insecurity takes place completely beyond the end user's control. Your eight digit, alphanumeric, special character password won't do squat to protect you from data breaches caused by non-existent/rarely enforced security policies.
--
The Toll

]]> http://www.dslreports.com/forum/remark,18019065 Sat, 17 Mar 2007 19:23:10 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18018999 Mele20 : Why are you trying to remember passwords? I use no password manager, I never allow Fx to remember passwords. I write them all down (different one for each site) in two paper files...one for normal sites and one for banking sites. I generally meet my friends away from my home because of no parking for guests here and they don't want to park on the street because this is a heavily traveled beach street with lots of drunks/speedera/pakalolo high drivers hitting poles and cars. My point being that I don't have to hide the password folders since I am usually the only one in this condo.

I would never be able to remember any password that had characters other than numbers and letters and those would need to be too simple for safety for me to be able to remember them...memory deteriorates with age so it not realistic to tell older folks that they need to use special characters in passwords, memorize them all and change them every three months and then memorize them again. I rely on my bank to shut out anyone, including myself, after three tries. My home bank has a very elaborate procedure for how one gets one's account accessible again after being locked out. My other home bank is ever more of a hassle...you have to apply in writing via snail mail for a new password which is mailed after two to three weeks. You have no access to your account online during that waiting period. Why are these methods, that are in place at most banks, so poor security wise? I suppose if you choose JohnDoe1 as your password that might be easily guessed in three tries but most folks know to use something like 5s69bbl0gz6u3 as a password and I don't believe that is likely to be guessed in three tries before the bank locks the account.

As for AARP in this day and age requiring a SS number is criminal. Of course, all banks and credit card issurers still require the number instead of asking for the driver license number or something else..birth certificate, etc.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18018999 Sat, 17 Mar 2007 19:08:45 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18018754 Daniel :
said by nwrickert See Profile :

Your argument is invalid simply because over 95% of users still do manage their own passwords.
If they actually are trying to remember 55 passwords, then they are probably using very weak passwords and re-using the same password for many sites. And if they are doing that, they have a more serious problem than the one you suggested in your OP.
Well, that is the reality we're facing. The question is, how do we mitigate some of this risk? It's a lot harder to get users to change their habits than it is to get a single site that handles millions of accounts to change theirs.

I agree it's not a real solution, but nothing in security ever is. It's about reducing risk, and if we can add ANY significant amount of complexity to the incredibly weak passwords that most people use, we'll have accomplished something. Hence my OP.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18018754 Sat, 17 Mar 2007 18:24:44 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18018712 nwrickert :
Your argument is invalid simply because over 95% of users still do manage their own passwords.
I manage my own passwords. Storing them in a file, and encrypting that file is part of how I manage them.

I just checked. I have 55 entries in that file, and I shun most web sites that require passwords. Nobody can remember that many.

If they actually are trying to remember 55 passwords, then they are probably using very weak passwords and re-using the same password for many sites. And if they are doing that, they have a more serious problem than the one you suggested in your OP.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10]]> http://www.dslreports.com/forum/remark,18018712 Sat, 17 Mar 2007 18:17:54 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18018663 Daniel :
said by nwrickert See Profile :

It's a problem because humans are better at remembering shorter passwords, ...
The idea of remembering passwords went out the window once web sites started wanting passwords. It is unmanageable.
Your argument is invalid simply because over 95% of users still do manage their own passwords. That's a guess, but it's actually probably closer to 99%. We have to solve the problems we have, not the problems we should have or wish we had.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18018663 Sat, 17 Mar 2007 18:08:14 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18018620 ElJay : I use strong passwords when I need to. But to be honest I'm not too concerned about my online banking login info being brute forced... It just doesn't make any sense. For one thing they need to know my user ID, and secondly a six character password with letters and numbers is going to take a gargantuan number of requests to crack. Most banks only allow a few login attempts before access is locked out, anyway.

It also seems like most people with online banking are probably going to catch fraudulent activity before those that wait for a monthly statement. I am balancing my checkbook at least weekly thanks to online banking and I'm going to notice any errors very quickly. ]]> http://www.dslreports.com/forum/remark,18018620 Sat, 17 Mar 2007 18:00:55 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18018596 kringles : A little OT but I would like the banks to use (or make optional) an RSA type key device similar to the PayPal/eBay one currently available. Of course if they don't allow complex passwords why would they offer a device like this?]]> http://www.dslreports.com/forum/remark,18018596 Sat, 17 Mar 2007 17:57:27 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18018376 JTM1051 :
said by Daniel See Profile :

...What others do you know of?
Unless they've changed recently SBC/AT&T Yahoo! DSL]]> http://www.dslreports.com/forum/remark,18018376 Sat, 17 Mar 2007 17:10:47 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18018305 Catmoves : I've had some success by writing to webmasters and suggesting that they might change the coding and allow the special characters to be used. I've also gotten form letters back from other sites saying their program doesn't allow for this. Some answer :p. My answer is simple. If I really want to log in to the site, I make them send me my password. Then I change it. Every time.
--
Catmoves]]> http://www.dslreports.com/forum/remark,18018305 Sat, 17 Mar 2007 16:55:01 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18017753 dave :
said by CylonRed See Profile :

You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed.
Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength.
--
Microsoft Security MVP, 2005-2007.]]> http://www.dslreports.com/forum/remark,18017753 Sat, 17 Mar 2007 15:02:58 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18017716 CylonRed : You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed.]]> http://www.dslreports.com/forum/remark,18017716 Sat, 17 Mar 2007 14:56:41 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18017569 haze_nme : You can add Wells Fargo to the list of offenders.]]> http://www.dslreports.com/forum/remark,18017569 Sat, 17 Mar 2007 14:21:56 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18017410 nwrickert :
It's a problem because humans are better at remembering shorter passwords, ...
The idea of remembering passwords went out the window once web sites started wanting passwords. It is unmanageable.

I keep only a very few remembered passwords. One of those is the passphrase I need to access my encrypted password database. And once one starts storing passwords in a database, there is no longer a need to keep them short.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10]]> http://www.dslreports.com/forum/remark,18017410 Sat, 17 Mar 2007 13:39:44 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18017321 neonhomer : Space Coast Credit Union (in East Central Florida) doesn't allow complex passwords.

Neither does Earthlink.]]> http://www.dslreports.com/forum/remark,18017321 Sat, 17 Mar 2007 13:21:09 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18017119 Cairninator : What is really scary is someone who would use their SS# as a login. It's really stunning how the average American can justify their stupidity.]]> http://www.dslreports.com/forum/remark,18017119 Sat, 17 Mar 2007 12:35:58 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18017118 Daniel :
said by nwrickert See Profile :

I'm not sure why you see this as a problem.
It's a problem because humans are better at remembering shorter passwords, and the use of more character sets allows one to add security while keeping length down.

So, ArdV4rk! is arguably a much better password than woof20slf02ld9dlw0 because the former is both sufficiently complex to thwart most guessing attacks but still short enough to remember easily.

For high security sites you probably shouldn't use memorable passwords at all, but it's not practical for most people to try and use a password manager for every single site they visit; and that's the focus of this point.

Far too many sites limit the usability vs. security tradeoff by not allowing special character sets in their passwords. It forces users to either 1) use easily guessable passwords, or 2) use longer ones that are forgotten more easily.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18017118 Sat, 17 Mar 2007 12:34:39 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18017058 nightdesigns : Not totally related to your question, but is related, how about companies that give you a username and you can't change it.

For example, my bank, a credit union, my username is my account number.

And the worst offender, AARP IRA/Mutual Funds, username is your SS#. That's scary.
--
[[Your signature here]]]]> http://www.dslreports.com/forum/remark,18017058 Sat, 17 Mar 2007 12:20:43 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18017001 Just Basics : Unless they have changed during the last year here are two more to add:

BB&T
NASA Credit Union

If they have changed let me know.

I might add that I am totally impressed with PayPal and eBay for implementing the VeriSign ID Protection - more financial institutions should take this service into consideration.]]> http://www.dslreports.com/forum/remark,18017001 Sat, 17 Mar 2007 12:04:55 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18016981 stonecolddsl : Amex.com aka AmericanExpress.com

6 to 8 characters letters and numbers only not case sentstive.

That scares me since i have a 50k plat buisness credit not charge card with them. ( OPEN FOR BUSINESS credit card )

not to be confused with my Gold Amex Charge card .]]> http://www.dslreports.com/forum/remark,18016981 Sat, 17 Mar 2007 12:00:40 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18016856 dave :
said by BlitzenZeus See Profile :

If your just setting up complex passwords in some password program, its not helping you at all. Using some master password to as part of a password storage then your only fooling yourself when it comes to security.
Assume an attacker has no access to your PC; he's merely attacking the web site (and it's not tricky to guess, for example, that there might be a user called 'dave'). There is no 'master password' involved. It's simply a matter of how hard it is to brute-force the password space.

If the password space is restricted to [A-Za-z0-9] then there are far fewer possible passwords than if passwords could use any characters. Thus, the password is easier to guess. Simple arithmetic.

This is just sloppy programming, about as sloppy as the idiots who insist you type credit card numbers without spaces, despite that fact that the numbers on the cards are grouped in fours for a very good reason.

I suppose the point of your comemnt may be that people who use 'complex passwords' must be keeping them in software-managed keyrings. That doesn't seem to follow at all. A few non-alphameric characters dropped into a password doesn't suddenly make it impossible to remember; even a scheme as silly as replacing an 's' with '$' adds a small amount of strength, withut making the password harder to remember.

--
Microsoft Security MVP, 2005-2007.]]> http://www.dslreports.com/forum/remark,18016856 Sat, 17 Mar 2007 11:30:07 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18016696 DownTheShore : To get back to Daniel's question:

Sovereign Bank]]> http://www.dslreports.com/forum/remark,18016696 Sat, 17 Mar 2007 10:56:04 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18016617 nwrickert : I'm not sure why you see this as a problem.

These days if I want a new web site password, I generate a random bit string of suitable length and then encode that in base64, Finally, I delete the '+' and '/' chars from the result for sites that won't allow those. Oh, yes, I do record the password in an encrypted file.

There is a problem with special characters - some of them are differently encoded depending on the national character set you are using. There is a point to avoiding all characters where there is some potential ambiguity as to how they will be encoded.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10]]> http://www.dslreports.com/forum/remark,18016617 Sat, 17 Mar 2007 10:35:23 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18016094 Mele20 : Chase has that new double security that is so irritating. I now have to call them every month and get them to issue a special code to use because I flush their cookies after each visit. Chase wants me to keep the special identifier cookie they now have and since I don't their site declares my machine as having never accessed my accounts there before...hence the phone call I must make now every month. I then have to wait for the email after speaking to a representative and having him authorize a special code. Then after I get the email, I have to go to their site from the email link and put in the special authorization code and then finally get into my accounts. It is so irritating that I see little reason to use internet banking now. I would probably save more time mailing the check at the Post Office. My one concern there is that I had the USPS lose a check once for three weeks and Chase would not rescind the penalty when the check didn't reach them in time and I didn't know because I wasn't doing internet banking back then. That is why I started doing internet banking. But I find it less and less appealing. I probably will just start doing automatic electronic deduction with Chase. I never use my local banks websites as I can go in those banks. I guess I should have never gotten credit cards with banks outside my home town.

Why do you think Chase needs complex passwords when it has this new double security thing? Besides, if anyone tries to hack your password after three failed attempts Chase locks the account and even you cannot get into your own account. I had that happen not long ago. I had to call Chase and answer a bunch of questions and then they told me that someone had tried to hack the account and they were surprised that hadn't happened to me before as it was quite common but the would be hackers only get three attempts so I really don't see why you are so worried.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"

»www.msfirefox.com/]]> http://www.dslreports.com/forum/remark,18016094 Sat, 17 Mar 2007 06:34:26 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18016064 greenhatch : My ISP here in Britain doesn't permit special characters in passwords :o: They are being pressured to change though :D]]> http://www.dslreports.com/forum/remark,18016064 Sat, 17 Mar 2007 06:04:20 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18016052 Daniel : I think you're missing the point here. These sites DON'T ALLOW special characters in their passwords. If you try and use punctuation or a "$" or anything like that, they'll balk.

They only allow letters and numbers. It's just bad form.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18016052 Sat, 17 Mar 2007 05:47:14 EDT Re: Big Sites That Don't Allow Complex Passwords !?! http://www.dslreports.com/forum/remark,18015970 BlitzenZeus : If your just setting up complex passwords in some password program, its not helping you at all. Using some master password to as part of a password storage then your only fooling yourself when it comes to security.]]> http://www.dslreports.com/forum/remark,18015970 Sat, 17 Mar 2007 04:04:48 EDT Sites That Don't Allow Special Characters In Passwords !?! http://www.dslreports.com/forum/remark,18015669 Daniel : Many sites don't allow special characters in their passwords; they only let you use numbers and letters.

It's not just Digg, but for them it's especially unacceptable. I mean, come on....Digg? The epitome of the "new" Internet. Young, hip, and...only taking numbers and letters in their passwords? Lame.



There's just no excuse for this in 2007. Eight years ago, sure...but not now. Let's do this. Let's make a list of sites that we know of that still haven't moved out of 1999. Then we'll email their admins and demand ask that they get with the 21st century.

Here, I'll start:

    •Digg.com
    •Suntrust Bank
    •Chase Bank

»dmiessler.com/archives/1208

What others do you know of?

--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,18015669 Sat, 17 Mar 2007 01:32:37 EDT