Deliciously Silly Password Restrictions

After hearing about the recent purchase of social bookmarking service del.icio.us by Chad Hurley and Steve Chen, I remembered that once, long ago, I had a del.icio.us account. I decided to check if my account was still alive, so I trekked over to del.icio.us and took a look.

Delicious as it appears today.

The site’s changed quite a bit since I last used it. It took a while for me to remember what my password was (it was an old, old one, since before I started using passwords the right way). It also appeared that the site still knew me by my former name (it really had been a while since I last logged in!), so I updated it with my new name.

The next step was to change the password. I generated a random password:

#AOOZ*Qs9xsj6^bT@MtN4rq1!0FK&2

But when I went to change my password, it was rejected. Apparently it didn’t meet their security rules. What? That 30-character, randomly-generated password, containing uppercase letters, lowercase letters, numbers, punctuation, and special characters… isn’t secure enough?

A little investigation (and some experimentation) later, it turns out there’s a reason: my password must be insecure, because it contains my surname!

I have a single-character surname. That means that a 30-character password will (assuming a dictionary of 26 letters, 10 digits, and let’s say 20 special characters) have about a 40% chance of being rejected on the grounds that it contains my surname. The longer my password is, the more likely it is to be rejected as insecure. My experiments show that “abcdefghijklmnop” is considered by delicious to be more secure for my account password than, say, “@Ubj#JeqPACrgmSQKn9qRYMBM9nPOj”, on account of the fact that the latter contains my surname.

Silly, silly, silly.