So I decided recently that my current password is too weak for my comfort level, so I went to change it on my online banking site, and found that my new password was invalid. So, fearing a “stupid programmer” moment, I click the help button (something I rarely do), and found this:
Your new password must be between 6 and 20 characters in length and contain at least one number. Your new password will not be case sensitive, there is no difference between “b” and “B”. Keep in mind that common words alone are not adequately secure. It is best to combine letters and numbers when formulating a password. Special characters such as %, #, *, (, &, @ and ! are not valid.
This terrifies me. Who in their right mind looks at the task of designing a banking system and says “we do not want to make those passwords too hard to remember, let’s remove all those silly symbols and cases”. Terrifying in its lack of common sense.
Even better is the concept that some programmer probably at some point explained to a manager why this was a technical requirement…and I bet he managed to keep a straight face during it.
Update: Even worse than that is the error I get when trying to set my new, more secure password (which contains more than 1 symbol, letter, and number) on my other online banking site: “ Your online password must consist of at least 2 numbers and 1 letter.” Not only does it reject my password, it doesn’t even tell me why.