Fight back against bad password policy

It is difficult enough getting people to use strong passwords. When people start actively discouraging strong password use, we're really in trouble -- but there may be ways to fight back.

It is difficult enough getting people to use strong passwords. When people start actively discouraging strong password use, we're really in trouble -- but there may be ways to fight back.

The simplest and most common piece of advice for good password security is probably the advice to use strong passwords. In theory, a strong password should draw from as many keys on the keyboard as possible, in terms of at least three different factors:

  1. Your password's character length, thus requiring more keypresses
  2. How many different types of characters (lower case, upper case, numbers, number key special characters, whitespace characters, and so on) are in your password, thus requiring keypresses in more parts of the keyboard
  3. How many different characters are in it, selected as much at random as possible rather than by following predictable repeating patterns

With a strong enough password, a malicious security cracker should not be able to crack your password before the projected heat death of the universe at current technology levels. Of course, technology does always advance, so you should be willing to upgrade your password policy as necessary in the future.

Unfortunately, the very people who are supposed to provide us with a way to use strong passwords are often amongst the worst enemies of our password security. When some organizations impose unbelievably limited password policy, there is little we can do to overcome the obstacles in the path of good security. A recent example of this sort of behavior is, in fact, perfectly illustrated by an American Express customer service email. The absurdity of examples like these is mind-boggling, and all we can do is marvel at the fact that no, The Onion did not in fact make this up. It is horrifyingly real.

One theory, as voiced by fellow TechRepublic contributor Sterling Camden in the past, is that this sort of problem crops up as a result of people being so afraid of SQL injection attacks, without even knowing how those attacks actually work, that they create even worse vulnerabilities by way of the gymnastics and contortions they go through to avoid anything that looks scary in a password. Of course, if passwords are only stored in the database as cryptographic hashes of the actual plain-text password, special characters would not even be a problem for SQL injection attacks -- because cryptographic hashes are generally represented as hexadecimal strings, which contain nothing but letters and numerals.

In general, a good password authentication system should perform authentication by comparing cryptographic hashes anyway. One wonders whether passwords are being stored in databases as plain text, which some would consider a hanging offense for security purposes, when special characters in passwords are strictly disallowed.

That we should use strong passwords can apparently not be said enough, because no matter how many times we say it, someone evidently still has not heard it. It is obvious that even those of us who understand the importance of strong passwords are at the mercy of those who do not, however, when we run afoul of someone writing software that specifically disallows strong passwords. is an effort to apply the power of popular disapproval to get businesses with poor password policy to change for the better. lists Websites that enforce weak password policy, and visitors are encouraged to both add more sites and upvote those sites whose password policies they would like to see fixed. In a sense, it is a clearinghouse for petitions to get Web site administrators to change password policy. In the words of the site's maintainer, Jeremy Jay:

Once a month, I will email these sites and let them know how many people want these password policies fixed, along with links to articles and more information showing how insecure their current practices are.

Protestations that special characters cannot be used in passwords are ignorant or dishonest, and in either case do not inspire much confidence in the ability of the organization maintaining the site to do anything else securely either. Again, in the words of Jeremy Jay:

Google, MSN, Facebook, Twitter - They all already allow you to use anything you want for your password. There is no reason to restrict what characters you can use in a password. If a site claims that it is impossible to allow any character in a password, then their software is probably insecure.

His effort is noble, and worthy of our support. Help spread the word about Organizations like American Express and ING Direct need to know that there are people who are aware of their bad policies and disapprove of them.

If that doesn't work, maybe you could just switch to a competitor who understands security.