I’m not sure what was more puzzling:
- They insist on a strong passwords, but are able to handle only two non-alphanumeric characters. For example, this-password-restriction-is-poopy-doodoo-7F92PChQXHkR=mz{mzTfs6x6z”, the sequence emitted when my head landed on my keyboard, violates most of their rules.
- This information is intellectual property.
And, your point is?
Passwords are for keeping honest people out, kind of like locks on doors with 3’x5′ windows next to them.
It’s intellectual property to disallow profanity in passwords? 🙂
My meta point is each site’s unique limitations in passwords contribute to the problem users have in managing them. In this case, their site doesn’t permit non-alphanumeric characters (beyond – and _). I had to dink with the settings on the password manager until it conformed to their rules.
Your lock analogy is interesting — “passw0rd” is akin to locking your door but leaving the key under the welcome mat. However, I think of it more as “the club.” By using insanely long, unique, multidimensional passwords, my account is less likely to be brute-forced. The password is only limited to this account.
Passwords do not address the social engineering tactics…
Speaking of social engineering. There is an app for FB that “allows” the user to stop using the “timeline” display for their wall. It works on their computer, but others will still see the timeline version unless they too have the app. Here’s the catch, to get the app (that tries it’s best to look like it’s actually a FB app) you have to give “it” your username and password. It downloads, modifies some setting in your browser, and you continue on your happy way sans timeline.
All is good in the world.
Until they collect enough usernames and passwords.
I pointed this out to the IT tech who offered up the app in the first place.
“You can always just change your password after you download it”
Well, sure (clearly she hadn’t considered it until I mentioned it), but how many people don’t think twice about handing out their info and will never change it, until it’s too late?
Talk about Phishing the creative way!
Have to give the designer kudos on that one.
The app is available without password information elsewhere. Also, you don’t have to give them real user name/password info in the first place, but who will think of that?