04 October 2007

Security by idiots

Oxford has set up an online registration system, which requires a username/password separate from any of my existing usernames (one is college-specific, the other two are department-specific). Fine, whatever. But what are the constraints on password choice?

  1. At least eight characters - totally standard.

  2. Letters and numbers, but no special characters - OK, this isn't the end of the world, but definitely limits my password to being less secure.

  3. Case insensitive - OK, this is just insane. You've nearly halved the total space of password characters. Combined with (2) this reduces the complexity of an 8 character password by two orders of magnitude.

  4. No repeating characters - A classic example of something that sounds good, but in fact accomplishes the exact opposite of the goal. Strings which are purged of repeating characters are inherently less random than what would occur by chance. This is once again crippling the strength of the password, as well as forcing people to avoid certain strings that might be more memorable to them.

Oxford IS gets a D plus.

No comments: