This is straight off GoDaddy’s FTP user password requirements for their shared linux hosting plans:
You must create a password for your account. This means that your password:
- Must contain 7 to 14 characters.
- Must contain at least one lowercase letter.
- Must contain at least one uppercase letter.
- Must contain at least one number.
- Must begin with a letter.
- Cannot contain the user name.
- Cannot contain the following characters: question mark, space, caret, single quote, double quote, colon, backslash, dollar sign, ampersand, greater than, less than, tilde, semi-colon, or accent.
The result of these kind of password requirements is that your user has to come up with a new password, or a new variation on one of their existing passwords, just for your site. Now in the perfect world, users would have a unique password for everywhere on the internet they have a login. There are programs out there to help users do that. But guess what. People don’t use them. For some good reasons too – like now a copy of your passwords, one way or another, are being stored somewhere that isn’t your brain. Which is the whole idea – your password is something that only you can produce and you can do so anywhere anytime you need to.
So in reality, your users likely have somewhere between 10 and 100 logins across the internet. If they’re forced to try to remember a special username/password combo for your site – they won’t. They’ll write it down, and stick in their wallet. Or in the drawer next to their desk. Or in a plaintext file on their desktop. Which is about as secure as, well, putting something yummy in the snack room with a sign that says ‘yummy’.
When a hosting provider like GoDaddy does this kind of bad practice, it isn’t that big a deal. It just makes their FTP user base more likely to be compromised. Now when your bank does it (I believe all my banks do it at one level or another) it’s serious. This isn’t helping the security problem – it’s just passing the buck. Even though this makes the average user more vulnerable to attack, that’s no longer your bank’s fault. It was you who didn’t safely guard your 7 different usernames, 3 levels of passwords, and up to 5 variations on those different passwords for your various logins across the internet. That’s what I’m up to: 7, 3 and 5. Now soon to be 6.
As a user, what do you guys use to manage all your usernames/passwords? As a developer, what kind of restrictions do you apply for your users’ passwords and/or usernames? Do you know of any standard set of password restrictions, or any standard algorithm for computing what constitutes a ‘good’ or a ‘weak’ password?
1Password from Agile Solutions is my savior! It integrates directly into Firefox and Safari (including Safari 4 beta) and has an iPhone app. It has a strong password generator, stores secure notes, wallet items (credit cards, etc). Everything is super encrypted on both the Mac and the iPhone. I’m tracking over 500 passwords in 1Password right now. I’m a bit paranoid, so I have unique strong passwords for nearly every site I use. I’ve all but eliminated my common password from every site I interact with.
For financial sites, I use ridiculously complex passwords that I simply can’t remember. Since 1Password integrates directly into my browser, as long as I remember my 1Password access password, I can get into anything quickly and easily. Their new keystore format is also Dropbox compatible, so all of my machines sync automagically.
When I was using Linux & Windows as my main desktops I used KeepassX, but it didn’t integrate with Firefox, so it was a huge pain. I kept the keystore on a USB flash drive that I had to keep backed up, and would occasionally lose a couple passwords when a flash drive would die because I’m lazy and would forget to backup my flash drive. Now I don’t worry about it … Dropbox keeps my machines synchronized and Time Machine keeps it all backed up. It’s a beautiful thing.