Password Limitations

written by Scott Watermasysk on Friday, May 30 2008

I am a big fan of 1Password which does a killer job of managing my passwords. In addition to managing passwords, it will also generate new (very) strong passwords when it is time to register for a new site or service. Today, because of either an issue with the Digg password retrieval system or Telligent email spam tools I needed to create a new account on Digg.

The sign up process is very simple, but I was shocked when I received the follow warning (emphasis is mine):

Passwords must be at least six characters and can contain only numbers and letters

Digg Create an Account Step 1

I do not see why you would ever want to limit users from using stronger passwords. Does this make sense to anyone?

posted in:

Software and tagged as: ,

10 Comments

Similar Posts

  1. Disqus and Graffiti
  2. What Software do I use on the Mac?
  3. Changing for Simplicity

Comments

  • James Shaw on on 5.30.2008 at 9:04 AM

    James Shaw avatar

    Yep, it's the same at equifax! http://tinyurl.com/4rzgv4

  • Jeremy on on 5.30.2008 at 9:48 AM

    Jeremy avatar

    A few of the financial institutions I deal with won't let you use special characters which is ridiculous.

  • Otto on on 5.30.2008 at 9:51 AM

    Otto avatar

    I've come across this from time to time and all I can think is that they are checking the passwords for XSS or something and they are failing, which means you have to choose a less secure password.

  • Marc Brooks on on 5.30.2008 at 12:49 PM

    Marc Brooks avatar

    You should try the password abc234' DROP TABLE USERS and see what happens :)

  • John S. on on 5.30.2008 at 1:20 PM

    John S. avatar

    Not only does my bank disallow special characters, they limit the LENGTH to 8 characters. Ridiculous.

  • Bruce on on 5.30.2008 at 4:08 PM

    Bruce avatar

    As others have also suggested, I'd guess this is an attempt at defense-in-depth against a code injection attack, by prohibiting anything that might be code, or might be decoded into code.

  • Rick Reszler on on 5.30.2008 at 10:57 PM

    Rick Reszler avatar

    Looks great Scott only one problem though, it doesn't run on Windows! :-D

  • Rick Reszler on on 5.30.2008 at 11:00 PM

    Rick Reszler avatar

    BTW us Windows Guys use KeePass. :-)

  • Ted Jardine on on 6.01.2008 at 2:21 AM

    Ted Jardine avatar

    Or for more features (but not open source), RoboForm.

  • Michael Teper on on 6.12.2008 at 4:03 PM

    Michael Teper avatar

    Another possible reason besides cheapo security is avoiding issues when sending a password by email (in itself a bad practice) or spelling them out by phone.

Comments are closed