With the recent leak that has put the data of millions of LinkedIn users at stake and a subsequent password leak of Last.fm passwords, the security of online passwords is a buzzing topic and a very important one too. Users are all the more concerned about the strength of their passwords. However, there are certain forums which seem to implement some very stupid password requirements.
The first on this list is the website of Attorney General of Texas Child Support. The list of requirements asks the user not to use two same words together, to be exactly 8 characters long and a whole lot of other rather stupid details which do not really go on to do anything towards make a password strong.
Another rather abysmal password requirements list asks the users to use no special characters, no ‘Nelet’ or ‘Password’ passwords and that no user can use two separated numbers, which again is an absurd requirement.
The list of password requirements for US Citizenship and Immigration Services is no different. For instance, it asks the users to begin and end with an alphabetic character, not contain spaces, not contain any part of the User ID and a whole lot more.
The fundamental problem with these requirements are that they are too cumbersome. Also, while they may help a little in making passwords strong, they do not really play a huge role. As we have seen in the case of LinkedIn, perhaps organizations should concentrate more on hashing and protecting user passwords stored with them rather than stressing so much on making user passwords difficult and hard to guess.