Product Management Security Tip: Allow Hard Passwords!

It’s annoying but understandable when web sites impose very specific password quality rules in an attempt to ensure your password is hard to guess. It’s both annoying and incomprehensible when web sites impose stupid password quality rules that make it HARDER to create a difficult password!

AirportParkingReservations.com, this means you! The last time this site made me pick a password, it required me to use uppercase letters, lowercase letters, and numbers. So far, so good. But it wouldn’t let me use punctuation characters. That’s bad! Including punctuation characters in your passwords makes them much harder to guess. Blocking the use of punctuation characters in your own site’s passwords has two bad effects: (1) users of your site will be forced to choose passwords that lack punctuation characters and may therefore be easier to guess, and (2) users will be discouraged from using punctuation characters in their passwords in general when they discover that some poorly-designed sites block their use, which may reduce password quality at other sites too.

One reason that AirportParkingReservations.com gets away with this poor policy is that they’re not a very interesting target for hackers to attack. If a hacker does manage to break into someone’s account, the worst they can do is make a bunch of bogus parking reservations in a person’s name and pay with their stored credit card information–bogus charges that will likely be refunded upon request if the user notices them. Only a truly bored hacker would try to be the first to do this. But if your web site holds personal, financial, or other highly confidential information, you should permit stronger passwords.

Remember these basic rules:

• If your web site does any quality checking on passwords at all, it should allow the use of lowercase characters, uppercase characters, numbers, and punctuation characters so users are able to create maximally complex passwords.
• Your site should require some reasonable minimum password length.
• You may mandate the use of various combinations of characters (e.g. at least one lowercase and uppercase alphabetic character and one number). Personally, I’m reluctant to micromanage password complexity rules too much because you may interfere with a perfectly valid user password creation scheme that uses some kinds of characters but not others. Requiring characters from at least three of the four categories of uppercase letters, lowercase letters, numbers, and punctuation characters would be a good approach that would enforce significant password complexity without forcing users to use all four categories.
• If you can afford to, it’s even better to run automatic password-cracking software that will try to detect poor quality passwords so you can warn or force users to change truly stupid passwords such as “password,” their user name, their first or last name, and so on.

For an end user faced with the need to generate and remember hard passwords for every site on the planet, LastPass is a good solution. Increased adoption of OpenID by web sites over time will be even more helpful by enabling users to use a single credential to log in more places.

Incidentally, I tried to verify tonight that AirportParkingReservations.com still doesn’t allow the use of punctuation characters in passwords, but after logging in, I couldn’t even find a way to change my password. Clicking “My Account” didn’t do it. Additional points off for poor usability! Ironically, the necessary link to change the password appears to be hidden by a “McAfee SECURE” image that’s accidentally been positioned on top of it. This is true on the Mac in Safari, Chrome, and Firefox, so it’s not an isolated browser-specific glitch. Additional marks off for bad user interface design and poor quality assurance. No matter what McAfee says, your site isn’t very secure if you obstruct your users from picking strong passwords and block users from updating their passwords at will!