Posts Tagged ‘Brute-force attack’

Are Some Sites’ Passwords Requirements Getting Too Ridiculous?

January 10, 2012 6 comments

Password Entry via Microsoft Office MP900390550

I have recently decided that I would like to further my education and increase my value to any employer. As such, I have been looking at continuing education programs from some Ontario Colleges* and in order to apply to any college you have to go through the centralized a site which you can use to to apply to all of Ontario’s colleges and makes the whole process streamlined.

*Side note for American readers: In Canada people who go for their B.A. go to university and a college is a place for further education after high school and a training institution that awards trade qualifications. Info via Wikipedia entry ‘College’

While signing up for an account on the site I was confronted with this as the password requirements:

OntarioColleges.CA password requirments

  • Minimum 8 Characters
  • Uppercase Letters
  • Lowercase Letters
  • Numbers
  • Symbols (e.g. @, #, $)
  • Passwords as entered match each other (you have to enter it twice to confirm)

As I sat there making up a password I thought to myself “Isn’t this a little bit ridiculous already? I mean I get it that a lot of private and personal information is going in to these accounts but quite frankly my bank has less requirements for how I make my password to get into my online account than this website does. I mean, there is a point of diminishing returns for passwords where we are more and more likely to forget them because they have become so complex that we have to write them down somewhere and then what was the point of these long intricate passwords?

I get it that brute force hacking means that the hacking computer is more likely to get the password the more complex it is and complexity is arrived at by adding more characters which makes it exponentially harder to guess the password but the addition of the extra characters into the mix just makes it all the harder for us as humans to remember the password. Beyond that, I promise that a large number of us, me included, end up just telling our computers to remember the passwords for us. If we don’t do that, we write down these insanely complex passwords and if someone is really that dedicated to getting my password don’t you think they’re likely to just try and break into our houses where we’ve written these bewilderingly difficult and complex passwords down because there’s no way we are ever remembering them?

I am fine with setting up a 15 character password. I can do that and remember it with certain mnemonic devices – maybe I’ll teach you my favorite one in a later post – but for me the capitalization aspect is what kills me. At the very least sites that require such intricately constructed passwords could give us all a hint, specifically listing the password requirements below the entry dialogue, and then I won’t be so likely to hit the “Forgot Password” button on a regular basis whenever I visit the site. The funny thing is, I find the sites that require these specifically formatted passwords are always the ones I barely ever use and am more likely to hit the “Forgot Password” button whenever I visit.

Maybe it is time we move to fingerprint or retina scanning on our computers? Maybe Google/Android can share their facial recognition technology with all of these sites so they can make all of our lives way easier…everyone has a webcam nowadays anyway, right? What do you think?

Password image via Microsoft Office.

%d bloggers like this: