Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

May the Farce Be With You: pretend-complex passwords

by Jay Heiser  |  August 8, 2012  |  Comments Off

I was recently forced to change my password on a UK pension system, and my first 4 password offerings were unacceptable. I was baffled as to what part of the password didn’t meet the requirements.  Today, I needed to login and review a pay stub, had to reset my password, and the exact same thing happened.

My locally-generated 8-character password was h{35(Kmp .   As happened on the pension site yesterday, today the payroll system responded that it was out of compliance with their requirements:

Length: between 8 and 14 characters
Must contain at least: 
  1 upper case letter 
  1 lower case letter 
  1 number 
1 standard special character (like %,@, or #).
Passwords are case sensitive.
You may not re-use any of your last 4 passwords.
Logon ID and password cannot match.

Although this was a completely different site, on a different continent, I decided that it might be suffering from the exact same bug. They didn’t really mean ‘such as %, @, or #’.  What they really meant was ‘including one of the following 3 characters, %, @, or #’.   Substituting a pair of @ symbols for the 2 characters that were much more special to me, the system immediately accepted my password choice.  This was simultaneously a diction fault, and an egregious avoidance of entropy.

A Google search for ‘standard special characters’ results in 40,000 hits.  Its anybody’s guess whether these 2 different financial systems are operating under IBM’s definition of standard special, the HTML definition, or what.  I’m sure that the Linux and Unix communities are happy to consider parens and braces as standard special characters.  Given that they are ASCII characters, widely available on digital input devices such as keyboards, I personally feel that they are very special characters.

Given that so few passwords are actually cracked these days, but are instead slurped by malware, complexity requirements are a farcical exercise. Pretending to be complex, while limiting a user’s choice of characters, is just stupid and annoying.

Comments Off

Category: Cloud security     Tags: , , , ,