Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

No good password goes unpunished

Sharky | Sept. 21, 2015
Consultant pilot fish is paying his bills online, but for some reason his health insurance company's website won't let him log in.

Consultant pilot fish is paying his bills online, but for some reason his health insurance company's website won't let him log in.

"I tried twice, and it rejected either my user name or my password both times," fish says. "It also warned me I'd be locked out after a third try, so I waited a few hours and tried again. Still no luck."

Fortunately, fish is able to find a website-support number on the insurance company's public website. After a few minutes on hold, he gets a support rep who requests his policy number and then asks what the problem is.

Fish explains that he's trying to log in with the same user name and password that worked when he paid his bill the month before, but now it's not working. Is there a known issue on your system, or is there a problem with my account? he asks.

There is an issue that might be causing the problem, support rep tells fish. It seems that at the start of the month, security was switched from supporting passwords between six and eight characters long to supporting passwords that are up to 15 characters, and customers with the longer passwords are now having problems.

Fish assures the rep that his password is more than eight characters long.

"Try logging in with just the first eight characters," rep says.

Fish does. It works. Then, once he's logged in, the support rep walks him through changing his password from that eight-character version to his full password.

And before he hangs up to finish paying his bill, fish thanks the support rep and wishes her luck dealing with all the other customers who chose long passwords because they thought they'd be more secure.

"But they were throwing away anything in a password beyond eight characters," grumbles fish. "And then after the security upgrade, the people who had longer, better passwords were the ones who were punished for it.

"At least they used bounds checking to confirm input length..."

Source: Computerworld

 

Sign up for CIO Asia eNewsletters.