Great mate Barry and I did a podcast yesterday. In and around the podcast, we chatted about password security, a subject not missed by fellow great mate Alan – he’s a great fan of pass phrases (i.e. a sentence instead of a single word). So yesterday, whilst in London, Barry picked up an Oyster card application form – I’m kind of interested in getting one, if only to maintain the stereotype of a Scotsman (although Mr Smeaton has changed that!)
Imagine my surprise at reading section 3. Password:
What’s this all about? A password is now called an answer. The password can’t be longer than 18 characters and cannot use spaces or punctuation? Adding a space or two and some punctuation is the first step to making a strong or secure password. Limiting it to 18 characters, including numerical values, rules out pass phrases (which are harder to guess and less prone to dictionary attacks). But, the other answers on this part of the form, can include spaces. Your mother’s maiden name? Does it have spaces?
Better wording of this question and more flexibility for the password are required…surely?
Technorati Tags: password, passwords, password security, password insecurity, passphrase, pass phrase, passphrases, pass phrases, oyster, oyster card, Barry Dorrans, Alan Henderson, blackhatspider, idunno, dictionary attacks, johnsmeaton.com, john smeaton