Bad Password Rules Lead to Bad Passwords

Special Character Requirements

In an odd effort to prevent SQL injection, some password policies refuse to allow users to use certain characters. The server-side code should be designed to allow for and escape special characters that might be used in an SQL injection attack.

Maximum Lengths

I have seen at least two web applications with a maximum length of 12 characters. Increasing the maximum length of password fields allows for a higher level of entropy.

Password Change Frequency

We have rules that force us to change passwords every 90 days and we're not allowed to repeat the past 15. What am I supposed to do with that when it comes to logging into a workstation… especially one that I seldom use.

The Fix

  • Allow any character - there are well-established norms for dealing with this in any web language
  • Higher minimum character count
  • Remove password changes - password changes lead to people writing down passwords. If anything, password changes make things worse.

You may also like

  • Using CDNs in DoD and Enterprise Environments

    What do we do about CDNs in DoD/Enterprise environments?

    Read More >
  • Passing CompTIA A+, Security+ Tests

    CompTIA markets itself as the "voice of the world's IT Passing CompTIA A+, Security+ Testsindustry". While that is highly debatable, it's apparent the United States Government has relied upon their certifications to establish a baseline of knowledge that IT professionals working for the Government should have, contracted personnel included.

    Read More >
  • Making Late Projects Later

    Some time ago we contracted a vendor to develop a small application for us. After multiple setbacks throughout the project, I received a phone call.

    Read More >