Deliciously Silly Password Restrictions

After hearing about the recent purchase of social bookmarking service del.icio.us by Chad Hurley and Steve Chen, I remembered that once, long ago, I had a del.icio.us account. I decided to check if my account was still alive, so I trekked over to del.icio.us and took a look.

Delicious as it appears today.

The site’s changed quite a bit since I last used it. It took a while for me to remember what my password was (it was an old, old one, since before I started using passwords the right way). It also appeared that the site still knew me by my former name (it really had been a while since I last logged in!), so I updated it with my new name.

The next step was to change the password. I generated a random password:

#AOOZ*Qs9xsj6^bT@MtN4rq1!0FK&2

But when I went to change my password, it was rejected. Apparently it didn’t meet their security rules. What? That 30-character, randomly-generated password, containing uppercase letters, lowercase letters, numbers, punctuation, and special characters… isn’t secure enough?

A little investigation (and some experimentation) later, it turns out there’s a reason: my password must be insecure, because it contains my surname!

I have a single-character surname. That means that a 30-character password will (assuming a dictionary of 26 letters, 10 digits, and let’s say 20 special characters) have about a 40% chance of being rejected on the grounds that it contains my surname. The longer my password is, the more likely it is to be rejected as insecure. My experiments show that “abcdefghijklmnop” is considered by delicious to be more secure for my account password than, say, “@Ubj#JeqPACrgmSQKn9qRYMBM9nPOj”, on account of the fact that the latter contains my surname.

Silly, silly, silly.

7 replies to Deliciously Silly Password Restrictions

  1. It’s sensible, really – your average punter deciding to use their surname with a few extra letters or digits tacked on would get a very weak password. You’re just a special case, with your weird name.

    • Not *very* sensible. After all, if somebody with an eight-character surname has their surname appear in their password… but their password is 20 characters long, they’re still okay.

      The correct answer would be to reduce the perceived length of the password by the length of the included name. So Mr. Thompson tries to set his password to “123thompsonabc”, his password is validated as “123abc” (his name is removed). This is too short, and therefore fails. But if he tried “123swothompsonrdfish!”, this would reduce to “123swordfish!”, which is sufficiently complex.

      “DaNiSH-P4stR135-R-mai-4av0rit-tr33t” would be a perfectly secure (if stupid) password, but would be rejected for somebody called “Dan”. But not if they first changed their name to “Daniel”, and then changed it back afterwards. Their system, while well-meaning, sucks.

    • When the Passport Office said that they wouldn’t be held responsible for my name getting me into trouble, they only specifically mentioned that I “may experience difficulties at Immigration Control when travelling”. I didn’t sign up for trouble with social networking services!

    • I’ve come across this password problem and various DB and webform issues. What are perfectly sensible controls for everyone with more than one letter in their surname get screwed up by us lovely exceptions. It’s not their fault we are awkward. Once they know about it, they *could* change the system, but if it really is just 2 people in the country/world it’d probably be cheaper for them to pay us to change our names! I spell it ‘Qu’ if I find database issues, I’m consistent and when I have actual people in front of me I explain. Here, the onus is on you to come up with a password that doesn’t have a Q in it.

  2. Sounds like trying to set your password each year at uni. I remember being told when I started my degree that coming up with an acceptable new uni password each year would be the worst part of my degree. It probably was.

Leave a Reply

Your e-mail address will not be published. Required fields are marked *