Apparently, I am not the only one sick and tired of websites forcing me to use overly complex passwords for their sites.  The rules are arcane, not standardized, and unnecessary in the world of OpenID. 

Why do I need an uppercase character?

Why do I need three numbers, a special character, and an ümlaut?

Why does my bank let me choose a reasonably complex password, but the Web 2.0 thingamabob require me to drip blood on my keyboard to get pass their rules?

Developers at these sites – please stop!  Let me use a password 6-8 characters in length, with anything I want in it.  Have a blacklist of obvious passwords, and leave the rest to the users.  Better yet – use OpenID!

I want to call special attention to the biggest violator of all, ADP.  Researching this post, I found this from Jeremy Zawodny that sent shivers down my spine.  You see, I used to manage payroll with ADP and I remember the frustration of their password rules (and frequency of change requirements).

Here is a taste:

Passwords must:

• contain a number

• contain an uppercase letter

• contain a lowercase letter

• be at least 8 characters in length

• be fewer than 15 characters in length

• contain a "special" character

• not be recycled (though this is not explicitly listed, it’s true)

• not contain more than 3 repeating characters ("zzz", "aaa", etc.)

• not contain more than 3 incremented or decremented numeric strings ("123", "876", etc.)

• not contains more than 3 incremented or decremented alphabetic strings ("abc", "zyx", "mno", etc.)

 You could argue that "Hey, its PAYROLL -so what if its a bit more secure?" but please, are all of these rules required?  Is it really more secure, or is there a much bigger risk from social engineering than brute force hacking?

Related Blogs

• Related Blogs on openid
• OpenID » Blog Archive » Member Vote to Approve the PAPE Specification