Tuesday, December 9, 2008

Password generation FAIL

I recently changed jobs (I'll post more about that in the near future) and was eagerly awaiting my first paycheck.
First pay day came and went and while there were funds in my bank account, I did not receive a paper paycheck. My new employers use a pay company that gives them the option to do digital paystubs via the pay company websites.

I got around to setting up my account on the pay company website today and ran into some unusual requirements for my password:
Passwords must meet the following complexity requirements:
Must be between 7 and 12 characters.
Must contain at least 1 upper case character.
Must contain at least 1 lower case character.
Must contain at least 1 numeric character.

Cannot contain any of the following characters: []|{}'()\/.,`>-_&=

There was also a button for generating a password to meet the requirements. Well sort of ...
I pushed the button and it popped up a window that contained a potential password and buttons for accept and cancel.
First FAIL - the password I was given only contained 6 characters
Well that doesn't meet the complexity requirements - I did attempt to use it and was told that the password was not valid.
Fine, I'll just push the generate password again.
Second FAIL - the password I am given only contains 6 characters. To be more specific, the same six characters I was given before. All right it was the same password entirely.

So I turned to my old standby KeePass to generate a new password. Set the requirements to 12 characters, upper case, lower case, and numeric and generated a new password, similar to this one: HZy2SIcH1wr3 . I then copied the password into the web page twice and pushed the submit button. I then received notice that I cannot use the number 3 in the password - huh? What an odd requirement. I checked back with the requirements section and sure enough it does say that the number 3 is not valid in the password scheme. I wonder what their reasoning is for the numbers 3 and 8 not being valid. I have sent an e-mail to their support, if I get a response I will pass a long the answer they provide.

If anyone has any insight as to why, I'd love to hear it. Adam Dodge already supplied one bit of humor:
Possible meeting notes for the discussion of password requirements
Fred: "I don't know Jim, people seem to like using 3 and 8..."
Jim: "Forget 'em"

Have a good day and be safe out there.