IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [password-policy]

A set of requirements regarding password creation, storage, and usage. These requirements often constrain several characteristics of passwords. So, a password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.

A set of requirements regarding password creation, storage, and usage. These requirements often constrain several characteristics of passwords. So, a password policy is a set of rules designed to enhance computer security by encouraging users to employ strong passwords and use them properly.

497 questions
862
votes
14 answers

What technical reasons are there to have low maximum password lengths?

I have always wondered why so many websites have very firm restrictions on password length (exactly 8 characters, up to 8 characters, etc). These tend to be banks or other sites where I actually care about their security. I understand most people…
enderland
  • 7,931
  • 3
  • 12
  • 14
234
votes
7 answers

Why would you not permit Q or Z in passwords?

Jetblue's password requirements specify that, among other stringent requirements: Cannot contain a Q or Z I can't fathom a logical reason for this, unless it were say, extremely common for the left side of keyboards to break, but then you wouldn't…
Mark Mayo
  • 1,903
  • 3
  • 12
  • 10
186
votes
9 answers

Is the NHS wrong about passwords?

An NHS doctor I know recently had to do their online mandatory training questionnaire, which asks a bunch of questions about clinical practice, safety and security. This same questionnaire will have been sent to all the doctors in this NHS…
Robin Winslow
  • 1,738
  • 2
  • 11
  • 10
157
votes
17 answers

Is the BBC’s advice on choosing a password sensible?

In this article on the BBC’s website they offer advice on how to develop a password. The steps are as follows. Step 1: Choose an artist (a recording artist I presume) Lets choose as an example case study the teen idol and all round bad boy Justin…
TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
137
votes
11 answers

Why not allow spaces in a password?

"Your password can't contain spaces." is a message I see from some websites, including 1 . Why? (This question is very similar to Why Disallow Special Characters In a Password? , but the answers there don't seem to apply to the space…
David Cary
  • 2,720
  • 4
  • 19
  • 20
109
votes
7 answers

Is saving passwords in Chrome as safe as using LastPass if you leave it signed in?

Justin Schuh defended Google's reasoning in the wake of this post detailing the "discovery" (sic) that passwords saved in the Chrome password manager can be viewed in plaintext. Let me just directly quote him: I'm the Chrome browser security tech…
brentonstrine
  • 1,259
  • 2
  • 10
  • 13
107
votes
5 answers

How can waiting 24 hours to change the password again be secure?

So I managed to change my password on a service to the "wrong" password, for simplicity let's just say I changed it to an insecure password. Now, I wanted to change it to a more secure password but instead I got a nice error message: The password…
ZN13
  • 928
  • 2
  • 6
  • 10
102
votes
6 answers

What is the purpose of confirming old password to create a new password?

Suppose that someone stole my password, he/she can easily change it by confirming the old password. So, I am curious that why do we need that step and what is the purpose of using old password confirmation?
ronaldtgi
  • 1,215
  • 3
  • 10
  • 14
101
votes
3 answers

Why is Sojdlg123aljg a common password?

I was going through the list of top 100K passwords and found Sojdlg123aljg near the top of the list. Does anyone have any idea why this is such a common password?
azoundria
  • 743
  • 2
  • 5
  • 7
98
votes
13 answers

Is a 6 digit numerical password secure enough for online banking?

My bank went through a major redesign of their customer online banking system recently. The way security is managed across the platform was also reviewed. The password I am able to set now to log in is forced to be 6 digits long, numerical. This…
mika
  • 963
  • 1
  • 7
  • 9
97
votes
10 answers

If a provider sees the last 4 characters of my password, can they see it in full?

I have some domains/websites as well as emails with Bluehost. Every time I need support, they need the last 4 characters of my main password for the account. They cannot tell me how they store the password, so I am intrigued in how they could…
rhymsy
  • 1,212
  • 1
  • 10
  • 15
89
votes
12 answers

IT will only give password over phone - but is that really more secure than email?

Every year an automated password reset occurs on a VPN account that I use to connect to the institution's servers. The VPN accounts/passwords are managed by the institution's IT department, so I have to send an email every year to follow up with the…
Chris Cirefice
  • 1,460
  • 2
  • 13
  • 21
75
votes
10 answers

Why Disallow Special Characters In a Password?

The culprit in this case is a particular (and particularly large) bank that does not allow special characters (of any sort) in their passwords: Just [a-Z 1-9]. Is their any valid reason for doing this? It seems counter productive to stunt password…
Gary
  • 851
  • 1
  • 6
  • 8
75
votes
10 answers

What is worse for password strength, a poor password policy or no password policy at all?

Recently I saw the following screenshot on Twitter, describing a obviously terrible password policy: I wonder what is worse for the password strength. Having no password policy at all or a poor password policy (like described in the screenshot)?
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
73
votes
8 answers

Is displaying remaining password retry count a security risk?

Some websites display a remaining password retry count when I input wrong passwords more than twice. For example, displaying that there are 3 retries remaining until locking out my account. Is this dangerous from security perspective ?
Ahmet Arslan
  • 849
  • 1
  • 5
  • 9
1
2 3
33 34