The Joel on Software Discussion Group (CLOSED)

A place to discuss Joel on Software. Now closed.

This community works best when people use their real names. Please register for a free account.

Other Groups:
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
Fog Creek Copilot

The Old Forum

Your hosts:
Albert D. Kallal
Li-Fan Chen
Stephen Jones

SalleMae doesn't allow strong passwords?!?

I just tried to change my password with my SallieMae account.

I get this:

"The following errors were encountered:
  1. Password cannot contain special characters."

What sort of boneheaded security is that?

For those of you who don't know, SalleMae is a financial institution, and they deal with a lot of student loans.
Eric D. Burdo Send private email
Tuesday, May 08, 2007
That's awesome.

They should go a step further and allow you to select your password from a dropdown!  That way, we'll never forget our passwords!
bob, from accounting Send private email
Tuesday, May 08, 2007
I'd guess that some one put in a hack to fix a SQL injection vulnerability.  How 'special' does the character have to be?  Even if it is case insensitive, limited to only 8 A-Z characters that's still over 208 billion unique passwords.
R1ch Send private email
Tuesday, May 08, 2007
I once had a system tell me that my *username* had to contain a number.
John Cromartie
Tuesday, May 08, 2007
I also found out after I recently moved that their site won't accept city names longer than 12 characters or something like that.
SM Send private email
Tuesday, May 08, 2007
Heh.  When I first read this, I thought he meant they wouldn't accept profanity as passwords.  "strong language", you see.
Tuesday, May 08, 2007
You'd be surprised how many financial ones don't.  Of the 5 or so that I have accounts at, 3 of them don't allow it.  Strangely, those same ones take security so seriously that you have to enter information on 3 different screens. 

osiris Send private email
Tuesday, May 08, 2007
+1 for R1ch. 
Recall that many of these instutions still connect to legacy data and systems where special characters - even if allowed on the front end, would fail when attempted to use for pseudo-Single-Sign-on in the backend.

With 208 billion options - most people still use Il0v<petname>, which also makes the title more than a little misleading.
MSHack Send private email
Tuesday, May 08, 2007
The idea is not just to come up with a password, but with a password that you can remember. Allowing special characters allow you more degrees of freedom in doing this.
Tuesday, May 08, 2007
Slashdot linked to three different stories exposing bad security practices at banks today and yesterday.

I think most of these institutions use off the shelf components rather than writing the software from the ground up each and every time. It's not surprising that they'll all have the same vulnerabilities and practices unless they have a really sharp "product manager" overseeing their online banking.

Punctuation and very long passwords can result in problems, such that I'm not surprised the vendor (if there is one) has chosen to disallow them for the sake of compatibility and portability. To be clear, I don't think he should have, but I can understand why.

For example, consider what might happen if the bank's website was on a UNIX/Linux machine, and the user picked a 64 character password containing multiple escape characters?
Tuesday, May 08, 2007
who cares....ATM machines use 4 digit pins....
Tuesday, May 08, 2007
ATM's only in the states, in Canada I think you can have 8, but then you can't use it in the states, unless you change it back to a 4
Tuesday, May 08, 2007
I usually use a password that's about 10-12 characters, mixed upper/lower/numbers/special.

I wrote them about it, but I bet I'll get a canned response.  It just saddens me to see all the talk about "stronger security", yet they won't allow special characters.

Furthermore, from a usability standpoint, if they aren't going to allow special characters, they should tell me what is and isn't acceptable up front.  Not after I type AND CONFIRM my new password (and hit Accept).
Eric D. Burdo Send private email
Tuesday, May 08, 2007

Ironically, I've discovered that publishing the requirements up front confuses people. They're not used to thinking in terms of characters, but rather, words. If you've ever looked at a list of the 100 most common passwords, you'll notice that many of them consist of an ordinary word with a couple of numbers inserted and/or unusual capitalization.

The only situation I've seen that works, is to accept a proposed password and then return one of the following error messages:

1) "Whoops, your password is too easily guessed. We recommend that you add a number or a punctuation mark to your password somewhere in the middle."

2) "Whoops, for technical reasons, we do not permit the <character> in our passwords. Try replacing the <character> with either a period (.), comma (,), colen (:), semicolen, etc etc."

In other words, let them suggest a password to the web site, and then the web site recommends ways to make that password more secure.
Tuesday, May 08, 2007
"ATM's only in the states, in Canada I think you can have 8, but then you can't use it in the states, unless you change it back to a 4".

"Only in the states"?

Around half of the world's ATMs have 4 digit PINs.
Craig Welch Send private email
Wednesday, May 09, 2007

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz