Posts Tagged ‘3D Secure’

Publicising your Password Policy

I raised the following situation recently on Twitter, and from the feedback gained it appears that there are a lot of different viewpoints as to the ‘right way’ and ‘wrong way’ to handle password policies. 140 characters is never enough to explain the different sides fully, therefore here is a longer justification of the view that I put forward.

It’s fair to say that different sites have different password policies. This in itself is not a problem, as individuals have differing ideas on what constitutes a ‘secure password’, whether that relates to minimum and maximum lengths, requiring a certain combination of different character types, or only allowing the password to be made up of A-Z and 0-9

Having such a policy should be second nature for any organisation, however I’m finding an increasing trend of these policies only being displayed when either:

  • Setting a password, or
  • Re-entering a password having been told that the password you attempted to use didn’t meet the policy.

The one place that policies never appear to be specified is when a user is actually trying to log in, and is an issue I’ve specifically noticed on one of the banking ‘3D secure verification’ IFRAMEs that appear (which in themselves are a security issue, as others have documented in the past). As a result, several times now I have ended up in the following situation:

  • I enter what I believe my password is, which happens to be 11 characters.
  • It is rejected, as it does not match the password stored. A reset is obviously needed.
  • I go through the reset process, entering various personal information, and also provide a new password.
  • I am told that my password does not meet the requirements, which involve a maximum length of 10 characters.

Now, at this point, I suddenly remember what my password is; but look at the process I’ve had to go through in order to reach that stage. It has slowed me down significantly, it has frustrated what should be a simple process and it has lowed my opinion of the organisation providing that service. Other people may have simply given up, and thus a sale is lost

So – can someone tell me why a company should not publicise its password policy? Considering that they are often freely given on ‘sign up’ pages, why – user interface issues aside – can they not be displayed on sign-in as well?