I recently signed up to the site of one of my (many) 401K administrators. When it came time to pick a password for my account, I was disappointed to see the kind of restrictions the bank put on my choice of password:
Password requirements:
Must contain 8 – 20 characters
Must contain at least one letter and one number
Is case sensitive (e.g. “MyPassword” with an uppercase “M” and “P” is different from “mypassword” with a lowercase “m” and “p”)
Cannot contain any spaces
Cannot contain special characters (e.g. !#$%^&@,;*( )+~?<>‘\”)
Cannot contain more than 2 of the same consecutive letters or numbers (e.g. aaa or 222)
Cannot be the same as your previous 6 passwords
Cannot be the same as your Username
I understand some of these, but not allowing spaces or special characters? That significantly reduces the complexity of available passwords, making the password easier to crack. Now perhaps they get around this by giving the user x number of tried before locking her out, but why not just allow special characters?
Another thing I find ridiculous is their choice of security verification questions:
What is your favorite movie?
What is your favorite song?
What was the name of your favorite teacher?
What was your favorite subject at school, college, or university?
Which non-immediate family member was your hero as a child?
From all history, who would you most like to have as a mentor?
What was your first job?
What is your favorite book?
Who is your favorite fictional character?
Where is your ideal vacation location?
Who is your all time favorite entertainer?
What job did you dream of having as a child?
What was your favorite toy as a child?
Which historical figure would you most like to meet?
Who is your favorite cartoon character?
My favorite teacher? Well, which school?
Favorite movie? I like many. It depends on my mood.
Ideal vacation location? Summer or winter?
These questions are so laughably subjective that I could spend 15 minutes entering in wrong answers when quizzed about them. The only one that has a definitive answer is “what was your first job.”
Oh, and I have to pick four of them to answer.
If the bank would allow users to use longer and more complex passwords, the users could choose something more memorable, still be secure, and not need to needlessly flail answering dumb security questions. That will never happen, though!