Kurt McKee

lessons learned in production

Hey there! This article was written in 2008.

It might not have aged well for any number of reasons, so keep that in mind when reading (or clicking outgoing links!).

Password policies

Posted 8 February 2008

I've finally gone through and updated almost all of my passwords on the various services that I use. Having crafted devilishly unwieldy passwords for this year, it is infuriating to run across services that won't allow me to use my strong passwords. Digg and coComment are the biggest well-known offenders; Digg forbids any special characters, and coComment arbitrarily accepts certain special characters but not others. I emailed coComment about their policy, and received this in reply:

You may use only [sic] following symbols in addition to letters and digits:
$ @ - # % & ? . - _
It is a matter of security.

"Security"? Have they not escaped their input properly? Are they afraid of SQL injection attacks? At least they're aware of their limitations. When I changed my SourceForge password their system claimed that the change failed, while it in fact changed the password just fine.

But I can't end this post without giving special props to my Northwestern University IT people.

The Northwestern University password policy is the most onerous I've ever had to comply with. In particular, passwords must be between six and eight characters, and passwords expire every three months, and I've suffered under their foolishness for years. My passwords start at 10 characters!

Anyway, that's 31 services down, and only a few more to go. Hooray!