To go along with my password article, here’s one showing the bad side of passwords. This is a copy of the “password rules” for Intel’s website, which I use for getting access to their licensed compilers. Before 1Password, the rules here were so draconian that I took to writing the password down on a piece of paper (yes, a sysadmin doing exactly what he tells people not to do!) There was no way I could follow their rules and remember a password when I only use it maybe twice a year; especially since they require it be changed every couple months, so every time I’d use it I’d have to change it! This proves that a password policy can be too “secure” – so much so that it drives security all the way back to the point where you might as well not ask for a password at all, since they no longer hold any meaning (or real security).
Password Rules:
- The password must be at least eight characters long, and can contain letters, numbers, and punctuation.
- It must not exceed fourteen (14) characters.
- It must contain at least one alpha character [a-z; A-Z], one numeric [0-9] and one special character [`! @$%^&*()-_=+[];:'”,<.>/?].
- It cannot contain spaces.
- The password cannot be the same as any of your previous eight (8) passwords.
- It cannot contain your login id.
- It may not contain any of the following special characters: Asterisk (*) Comma (,) Backslash ( /) Forward Slash (\).
It must not:
- Be a name (your own, family members, pets, or famous people)
- Be your social security number, driver’s license number, passport number or some other identification number.
- Be repeating numbers, letters or characters (111111, aaaaaa, !!!!!!)
- Be a number or character combinations that are next to each other on the keyboard (123456, asdfgh)
- Be a dictionary word of any language
- Begin with an exclamation point (!) or question mark (?)
- Contain your IDSID or WWID
- Have the same first three characters.