product management security

Terrible password policies

I just ran into a remarkably bad password entry implementation.

1) The password I entered didn’t conform to the policy.

2) There’s a separate *link* to go to get the password policy, which is the usual ridiculous coconut headsets pseudo-safe “upper case, lower case, a symbol and a number.”
(HINT: this is NOT safe, it’s just stupid false security. Password hackers are way past the common variants of simple passwords obscured by these changes. This is BAD POLICY).

3) And…the password doesn’t work despite compliance with the policy, so the password checker is broken. I have no idea what would work, and that’s really not my problem.  So bad policy, badly implemented.

If you can’t even get basic password checking right, I don’t trust that you’ve gotten the security of the site right. So I’m stopping right there, and not registering on the site. This is a complete failure of the primary objective of the site.

What password selection requires is proof that the password is resistant to a dictionary attack, and high entropy.  If you don’t know what that means, educate yourself before attempting to implement a password system! Here’s a good example.  And here are the guidelines from NIST with an excellent rationale.

By Dak

Father, leader, writer, scientist, visionary.

Technical software development leader (CTO, VP). Excels when improving and turning around teams, putting better tools and software architectures in place, and getting better outcomes.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.