234

Jetblue's password requirements specify that, among other stringent requirements:

Cannot contain a Q or Z

I can't fathom a logical reason for this, unless it were say, extremely common for the left side of keyboards to break, but then you wouldn't allow 'A' either :)

What would be the reason for this security requirement?

Mark Mayo
  • 1,903
  • 3
  • 12
  • 10
  • 16
    I would guess that it is for compatibility with legacy systems. Telephones did not used to have Q or Z. It's just a guess as to why it isn't a random two letters. – David Houde May 14 '14 at 01:13
  • The Sabre system was introduced in 2010 to jetblue if I am not mistaken, before that jetblue used a cheap system used by all LCCs called "Open Skies". This problem has nothing to do with Sabre System. – Nean Der Thal May 14 '14 at 02:41
  • 6
    It seems that the restriction is [documented but not enforced](https://twitter.com/__apf__/status/466327291027804160). – Ladadadada May 14 '14 at 08:30
  • 10
    The restriction is no longer listed on that page as of today. – tgies May 15 '14 at 14:03
  • 2
    @tgies I bet this probably woke them up to it. – Panzercrisis May 15 '14 at 16:05
  • 2
    [Here is another analysis of this question.](http://www.geek.com/apps/why-jetblue-doesnt-allow-q-or-z-in-its-passwords-1593844/) – Matthew Peters May 15 '14 at 20:25
  • 10
    Here's a [**cache of the page before Jetblue updated it**](https://web.archive.org/web/20140402111751/http://help.jetblue.com/SRVS/CGI-BIN/webisapi.dll?New,Kb=askBlue,case=obj%28403864%29). – blunders May 16 '14 at 00:41
  • now waiting for your passwords, and credit card numbers to get published, because they likely aren't hashing anything. – xenoterracide May 20 '14 at 03:55

7 Answers7

275

It's a leftover from the time when keypads didn't have the letters Q and Z. Security-wise, there's no reason. It's just because of old systems.

To clarify:

You used to be able to enter your password over the phone. Some phones didn't have the letters Q or Z, like the one on the picture below.

enter image description here
Image courtesy: Bill Bradford on flickr.com

Because of this, passwords including these characters were disallowed. They haven't changed this requirement for whatever reason: Legacy systems, poor documentation, or they just don't care.

Amal Murali
  • 105
  • 4
Eric Lagergren
  • 2,331
  • 1
  • 12
  • 13
  • 26
    I found an image for [Proof](http://farm1.static.flickr.com/45/148973327_325aa5357d_m.jpg) – dnelson May 14 '14 at 01:28
  • Just wondering: _Why_ did some phones not have Q? (Z is obvious - because it would not fit anymore.) – magnattic May 14 '14 at 12:20
  • 9
    The Straight Dope has an answer for why Q was omitted...http://www.straightdope.com/columns/read/351/why-is-there-no-q-on-the-telephone-dial – visakh May 14 '14 at 12:29
  • Also, it seems that as need arose (in 40's and 50's), Q or Z made an appearance in the button for 0 – visakh May 14 '14 at 12:29
  • Also possible reason why it was not changed – Milan Halada May 14 '14 at 12:45
  • 15
    Uh... but they (JetBlue) also say that passwords are case sensitive. The phone pad explanation doesn't seem to fit with that. – Daniel May 14 '14 at 14:42
  • 2
    @visakh - Sometimes they're both on `0`. Sometimes `1`. Most often, I've seen `Q` shoved on 7 and `Z` on `9`. – Bobson May 14 '14 at 15:24
  • 10
    @Bobson my have hit on a more important reason: if the key that carries the Q or the Z is not definitive, then it makes it harder to provide a secure phone interface... since you'd have to allow 2 different numeric strings to be considered valid for a single password – Dancrumb May 14 '14 at 17:50
  • @Dancrumb that actually seems to a reasonable answer -- couldn't it be both? – Eric Lagergren May 14 '14 at 21:46
  • 1
    So what was the reason behind not allowing any of the digits to have 4 letters on them? – dan04 May 15 '14 at 14:24
  • 2
    CNN has an [article](http://money.cnn.com/2014/05/14/technology/security/jetblue-password/index.html) about this today. – Andy May 15 '14 at 20:55
  • @Daniel: In addition to a hash of the password with preserved letter case they can also store a case-insensitive hash (e.g. of the password converted to upper-case) for authentication over phone keypads and rotary dialers. --- Of course this makes the authentication system much more vulnerable. – pabouk - Ukraine stay strong May 21 '14 at 07:53
  • @FeralOink pardon? Your answer to this question is nearly the same as mine yet you claim mine is incorrect? "However, rotary and touch-tone phones didn't have a Q or Z then." – Eric Lagergren May 22 '14 at 07:55
  • @FeralOink What isn't accurate? I'm not understanding. My answer, including edits, says the reason why there was a rule excluding the letters Q and Z from passwords was because old phones didn't have those letters. The phones are the root reason, not SABRE. SABRE didn't use those letters simply because they didn't exist on phones. Pedantry... – Eric Lagergren May 22 '14 at 08:06
20

On old phones, there were no letters "Q" or "Z": 7 is "PRS" and 9 is "WXY". So if you wanted to allow users to enter the password using the button on the phone, "Q" and "Z" presented a problem. Disallowing them is an easy—if somewhat crude—solution.

mishadynin
  • 201
  • 1
  • 2
  • 11
    The real problem is that sometimes 7 was "PQRS" and 9 was "WXYZ", and sometimes they were "PRS" and "WXY" while 1 was "QZ". – corsiKa May 15 '14 at 17:12
14

There is direct confirmation from Jetblue via CNN now.

American Airlines and IBM developed SABRE to facilitate making travel reservations by telephone at scale, in real time, in the late 1960's. However, rotary and touch-tone phones didn't have a Q or Z then.

The number 1 belonged to long distance calls, and 0 for the operator. That left eight numbers to cover the entire alphabet. Bell Telephone Company assigned three letters to each number and left out the two letters we use least: 'Q' and 'Z.' That's how airlines became dependent on a phone-based reservation system with a limited alphabet.

Sabre still exists, and partners with most airlines, including JetBlue. JetBlue told CNN that the "no Q or Z" rule still applies for JetBlue employees accessing Sabre. JetBlue passed the restriction along to TrueBlue members for their passwords, as described in the company password FAQ.

The rule was quietly dropped and is no longer active. You can currently create nearly any password you want, as long as it's between eight and 20 characters. JetBlue told CNN it's now updating its FAQ page, but the company wouldn't comment on when they changed the rule.

Qs and Zs are allowed now. It is not a legacy system holdover for Sabre, but it was for retail customers.

Ellie Kesselman
  • 488
  • 4
  • 20
8

As other people have commented, it's a leftover from telephone dials and TouchTone(tm) pads initially not having Q or Z on them, and not having consistent locations when they were added by various manufacturers in various countries, and some systems that needed the option to set your password on a computer keyboard but later also log in from a phone keypad.

A user interface design conference at Bell Labs I went to back around 1990 had one session on the "Where to put Q and Z on a TouchTone(tm) pad" problem. The speaker referred to it as "The issue that just won't die."

It was pretty well attended, because it was at a convenient time, and an issue that everybody could intuitively understand and appreciate. The problem and solutions are simple and arbitrary and any one you choose has problems with it, or sometimes more problems.

user46642
  • 81
  • 1
5

Pure speculation, but Q and Z are the least frequently occurring letters in English. To an attacker watching a stream of input characters, perhaps from a phone on a nearby table, Q and Z could signal a randomly generated password.

hurrymaplelad
  • 175
  • 2
  • Unlike, say, `JHKNBTRW`? – user May 15 '14 at 14:47
  • @MichaelKjörling Your example requires looking at context already. Catching your example is definitely harder than just looking for Qs and Zs (and requires less resources). – 11684 May 15 '14 at 16:05
4

Fundamentally, there is not any outright technological reason to ban these two characters from passwords.

That being said, JetBlue may (and it's impossible for us to know for certain without confirmation from JetBlue) have either:

  1. Business Logic that dictates such a ban (though I, like you, can't fathom a reason)
  2. Legacy code in their systems that prevents the usage of these characters or their web app may import user accounts into another legacy systems that have such a ban in place, so they "bubble up" that requirement to the web app. This is not uncommon in web apps that interface with older AS/400 (IBM iSeries) or mainframe systems.

Given that most modern web platforms allow for escaping pretty much any character in the ASCII set, I personally find that banning characters from passwords is normally just due to companies not wanting to update their code to properly escape the input users supply. YMMV

According to the wikipedia article on password strength (http://en.wikipedia.org/wiki/Password_strength), prohibiting characters only REALLY serves to REDUCE the desired entropy of a given password, making easier to brute-force crack. Therefore, from a technical perspective, it appears that JetBlue's password policy actually results in a system with easier-to-hack passwords.

Unfortunately, I think all of this is merely speculation unless there's a JetBlue representative on the site who's willing to offer an official explanation of the policy...

Bryan 'BJ' Hoffpauir Jr.
  • 191
  • 7
  • 1
    The other answer proves there is a possible reason: ability to enter it on a 10-key phone keypad. – nobody May 14 '14 at 01:37
  • 2
    AS/400 systems do indeed allow for all keyspace, except they are case-insensitive. (I have one at work). – SnakeDoc May 14 '14 at 01:43
  • 2
    Indeed, a key weakness of the German Engima machines was that they would not encode a letter as itself - as that reduced the entropy of the encrypted message it gave the Poles/Bletchley Park a good start – adrianmcmenamin May 14 '14 at 12:11
  • 1
    @AndrewMedico, A legacy system that expected to deal with a phone keypad lacking Q and Z may have been the reason for the restriction in the web app, as Bryan suggests. However, as mentioned in the comments on the question, the QZ restriction wasn't being enforced, and is now removed from the documentation. Maybe one of their developers frequents security.SE? :) – Brian S May 15 '14 at 19:21
3

The reason would be to have less work for the administrator in an environment with multiple keyboard layouts.

Considering AZERTY and QWERTY keyboard layouts, all keys are the same, except Q - A, W - Z and ; - M.

Therefore it could be useful to avoid QWAZM in passwords because it makes them easier to type on different keyboard layouts.

Of course, since you would also have to enter digits and special characters, and those are all in different locations on each layouts, it might not be too useful to filter out those letters, anyways.

Steven Volckaert
  • 1,193
  • 8
  • 15
informatimago
  • 49
  • 1
  • 2
    I suspect it's historically more what the accepted answer said, but I do like this answer a lot. – Mark Mayo May 14 '14 at 07:02
  • 2
    If different keyboard layouts were the issue, passwords would only be able to have digits (and possibly the punctuation marks from Shift+digit). Dvorak and QWERTY only match on the digit keys and the letters A and M. AZERTY doesn't even match on the letters. – cHao May 14 '14 at 15:42
  • @cHao Shifted alphanumeric section numbers keys vary wildly with keyboard region. On mine, it's `!"#¤%&/()=?` for what unshifted is `1234567890+`. On a US keyboard, for a start, Shift+4 gives `$` and the paranthesis are shifted rightwards by one key position. – user May 15 '14 at 14:51
  • A creative answer, but I'm not sure, if this was the case, then more letters would have to be banned (like A, W, etc.) because they share the same problem, isn't? – Fernando Gonzalez Sanchez May 15 '14 at 19:11
  • I do actively avoid using some punctuation characters in passwords I have to type, because on both Windows and Ubuntu my keyboard occasionally [switches to American for no apparent reason](http://askubuntu.com/q/638420/652). – TRiG Jul 29 '16 at 09:47