Most Major Websites Encourage Terrible Passwords

[Guest]

A study of some of the biggest sites on the Web suggests that many people use completely unsafe passwords, and websites don't stop them.

Most Major Websites Encourage Terrible Passwords : Read more

 

[jhansonxi]

What I hate is web sites that don't indicate what passwords are acceptable. They'll let you enter whatever you want but then silently ignore characters they don't like and truncate the password to their unstated lenght limit. You find this out the next time you try to login.

 

[senkasaw]

While it is sad that so many people use terrible passwords, I don't see it as the websites' job to force them to use good ones.

 

[derekullo]

1, 2, 3, 4 ,5 .... That's the same combination I have on my luggage.

 

[none12345]

Oddly enough sites requiring at least 1 number, one capital etc....are less secure. Most people will put the capital letter first, and the number on the end. Knowing this, you have just made the password easier to guess, not harder. You narroed the first character from 26 lower case, 26 upper case, and 10 decimal = 62 possibilites to only 26, the capital letters, and you narrowed the last one from 62 to 10. It will still likely be a common word or words inbetween.

 

[brucek2]

On the vast majority of sites that have ever asked me to create an account, my account and everything stored within it is absolutely worthless. Yet some of them insist on requiring an unwieldy password, which I will never remember in my head, so I end up having to write it down somewhere which is immediately unsecure.

The best system to me is one where I can use whatever convenient, "screen door" level protection password I want for this tier of account, which is the vast majority of them.

Then, for the relatively few that are valuable and/or sensitive, I can pick unique, complex passwords that are worth memorizing and that I won't be tempted to re-use on the next junk level account.

 

[Christopher1]

Oddly enough sites requiring at least 1 number, one capital etc....are less secure. Most people will put the capital letter first, and the number on the end. Knowing this, you have just made the password easier to guess, not harder. You narroed the first character from 26 lower case, 26 upper case, and 10 decimal = 62 possibilites to only 26, the capital letters, and you narrowed the last one from 62 to 10. It will still likely be a common word or words inbetween.

Which will not matter as long as the passwords are PROPERLY encrypted AND there is a log-in limit (i.e. only 5 log-in attempts in an hour or 6 hour period per account) on the website in question.

 

[Darkk]

Folks... regardless on how each website employ's it's own password protection scheme you should NEVER EVER use the same user ID and password on another website. If you can't manage password then use third party software like keepass.

If you did use simple passwords and same user ID everywhere else you deserve for the accounts get hacked. This is NOT the fault of the website as it did warn you NOT to use same user ID and password on another website.

 

[Eisbrecher34]

I bet fifty bucks that one of the guys running the tests uses a "11111" or something of the sort. It's just human nature to keep things simple.

 

[randomizer]

What I hate is web sites that don't indicate what passwords are acceptable. They'll let you enter whatever you want but then silently ignore characters they don't like and truncate the password to their unstated lenght limit. You find this out the next time you try to login.

I've seen worse; a bank that accepted at least 20 characters when creating the password, but only allowing 16 characters when logging in. No truncation, just no ability to enter a matching password. I've also recently seen a credit union that only allows passwords of 6-10 characters, and only with digits.

Financial institutions also seem to have a fixation with requiring secret questions and answers, usually asking questions for which the answers are often on Facebook. Why bother cracking a password when you just need to find the name of the person's pet?

The companies for which security is paramount provide the worse security.

 

[icemunk]

Websites should NEVER have rules on passwords, it is stupid, it is annoying, and it is a security risk. STOP IT!

 

[ithurtswhenipee]

It is the individual's responsibility to make secure passwords, but in general people are stupid. So the websites are forced to hand-hold it's users and force good passwords. Given that people aren't going to get much smarter anytime soon - that needs to be done. The real problem on the website's end are the ones that actually force simpler passwords. I always make my passwords that are a random string of 8 or more characters (uppercase, lowercase, numbers, symbols), then I come across a site that tells me I can't have special characters or my password needs to start with a number

 

[gm0n3y]

It seems to me that insecure passwords aren't really much of a risk. Sites just need to limit login attempts and users need to not reuse passwords. The problem is of course that who can remember the dozens of passwords needed for various websites.

My biggest annoyance with passwords is with a credit card system that I've used that has online password verification. Since it deals with money I make sure to put a very secure password on the account. Since almost no sites require this additional verification, a few months later when I need to use it again, I can't remember the password. I get it wrong three times and they completely lock down my account, requiring me to call them to reset my password. Of course it's a weekend and the call centre is only open during business hours (M-F 9-5). So I wait until Monday and call them while I'm at work. They ask for the balance on my last bill which I don't have with me at work. So I have to track down my old bill and bring it to work the next day so I can call again. Finally I can actually make the purchase that I tried to make a few days before. Then a few months later I try to use the system again and the same thing happens. So bloody annoying.