It’s 2007. There’s absolutely no excuse for websites today to not allow special characters in their passwords. Whether you use a memory scheme or an encrypted database application for generating and storing your passwords, it’s highly annoying when you come across a site that requires you to lower your password security standards based on character length or complexity.

Few things are more annoying then using your regular algorithm for building a password (one that uses upper, lower, numbers, and special characters) only to have the site tell you that you need to dumb it down in order for it to take it. And it’s even worse for those using password programs that auto-generate extremely long and complex passwords. Having a site tell you your security is “too good” is simply unacceptable.

So after being bothered by this one too many times I blogged about it and created a post in the BBR Security forum asking for sites that have this flaw. Here’s the list we’ve come up with so far:

Digg ! Suntrust Bank Chase Bank Verizon.net Wells Fargo Bank Sovereign Bank Americanexpress.com BB&T NASA Credit Union Space Coast Credit Union Earthlink Cafepress.com Equifax.com Progressive.com Merrill Lynch

[ Please contact me with additions and corrections/deletions ]

The ones that stand out are the financially-oriented sites, obviously, but the fact that Digg doesn’t allow special characters just blows my mind (Reddit does). Surely one can make an argument that passwords are weak anyway, that password length is the most important issue, and that most sites have lockout features, etc., but ultimately the arguments for not implementing this are lame for a simple reason:

It’s trivial to implement and sites only have to do it once. So even if the security gain is minimal there’s just no good reason not to do it.

The bottom line comes down to this: people should be able to use advanced memory-based techniques or password applications that generate very long, complex passwords and have them work everywhere. Sites that force users to lower their standards should be exposed and asked to modernize.

So if you use one of these sites, do the Internet a favor and contact customer service and file a complaint. With enough attention I think we can get at least a few of these to do the right thing.:

It’s not just Digg, but for them it’s especially unacceptable. I mean, come on….Digg? The epitome of the “new” Internet. Young, hip, and…only taking numbers and letters in their passwords? Lame.

There’s just no excuse for this in 2007. Eight years ago, sure…but not now. Let’s do this. Let’s make a list of sites that we know of that still haven’t moved out of 1999. Then we’ll email their admins and demand ask that they get with the 21st century.

Here, I’ll start:

1. Digg.com

Being an information security consultant I am often asked how to balance the need for online passwords that are both hard to guess and easy to remember. There are a number of solutions out there for dealing with the problem, but the system that I’m about to outline below is an elegant hybrid of simplicity and security. It works for me, and I think it can work for you as well.

The Problem

The main issue we’re all grappling with is the number and complexity of the passwords we need to remember. Ideally, we would never share a password between any two sites. They would all be different and at the same time highly complex. Unfortunately, this doesn’t mesh well with reality. The human brain just isn’t up to the task.

Simplification Through Classification

The way we get around this limitation is to classify our online accounts according to risk. In other words, we’re going to determine how important each of our accounts are, and then put them into one of three (3) groups. For the purposes of this article we’ll use the military classifications.

1. Top Secret
2. Secret
3. Confidential

Next we’ll simply group your Internet account types into each of these categories:

• Top Secret Banking, brokerages, financially or identity-oriented sites. Think about your social security number and other sensitive personal data. Any accounts of this nature you want to protect with your strongest layer of security.
• Secret Personal email, blogging sites, important forums, etc. These are your main accounts that you use on a day-to-day basis. They aren’t ultra-sensitive, but they a huge part of your life and need to be secure.
• Confidential Product forums, mailing lists, etc. These are your low-risk accounts, meaning that if one were to be compromised it would be annoying but not a major problem. We’re still going to have relatively strong passwords here, but they’re going to be simple in comparison to the two higher levels.
** Also keep in mind whether or not a site supports encrypted logins or not when assigning your accounts to these groups. Never put an account into the top two groups (Top Secret or Secret) if that site doesn’t support encryption. We don’t want someone possibly intercepting one of your upper-level passwords.

Designing Our Password Schemes

Ok, now that you have your accounts grouped properly it’s time to design our three password systems. We’ll start with the Top Secret:

Level 1 — Top Secret: For this level we’re going to use a combination of upper-case, lower-case, numbers, and special characters. We’re also going to make the password at least 12 characters in length. You will be writing these passwords down on a card in your wallet or purse, so it doesn’t matter if you can’t remember the password at first. After you use it a few times it’ll become second nature regardless of how complex it is. Try something like this:

5PF.c9a8>12!

It looks pretty scary, but you’d be surprised how easy it is to remember once you type it a few times over a number of days. The point is that it’s not going to be guessed, and it’s not going to be tied to another account. If you absolutely have to, you can use a sentence algorithm to build the password, like so:

My Online Bank Password Is Not Simple To Guess At All, Julie.

M0bP1n5tGAAJ.

You will be writing these passwords down on a card in your wallet or purse, so it doesn’t matter if you can’t remember the password at first. After you use it a few times it’ll become second nature regardless of how complex it is.

One point on writing down passwords: Many people think this is a bad idea, but that fully depends on how you secure them once their written down. Sticky note on monitor? Bad. Wallet? Good. You have to balance the risk of strong passwords in your wallet vs. weak ones in your brain.

Regardless of the scheme you use to create your passwords, you want them to be a) pseudo-random/highly complex, b) over 10 characters in length, and d) absolutely unique. In short, we don’t want someone with your brokerage account password to be able to log into your bank with the same credentials.

Level 2 — Secret:

With the secret level accounts we’re going to introduce an aspect of simplicity/usability. We’ll do this by creating an algorithm for creating and varying passwords for various sites while still maintaining the appearance of randomness within each individual password.

In short, all level 2 (Secret) passwords will be generated by the same algorithm. As such, they’ll look very similar to you, but will look like random garbage when viewed independently by an outsider.

So let’s build your Level-2 (Secret) algorithm; we’ll use a Gmail account as a template:

[This is just a sample algorithm; you should make your own.]

1. First two letters + last letter of the account. GML
2. Add the three letters up and subtract your birthday. G (7) + M (13) + L (12) = 32 - 15 (if you’re born on the 15th) = 17 GML17
3. Add the two numbers you made to create a third number. 17 = 1 + 7 = 8 GML178
4. Add a word for length. Use character substitution for complexity if you want. GML178H0lid4y
5. Add special characters. !GML178H0lid4y#
6. Scramble as desired.

   !H0lid4y#GML178#

You now have a very solid password for your Gmail account. But it gets much better than that. You’re using the same algorithm for all your level 2 accounts. So do the same for your Hotmail account and you’ll end up with:

!H0lid4y#HOL358#

Level 3 — Confidential:

For our lowest security level (3) we’re going to use an algorithm similar to the secret level (2), only it’s going to be completely different and much simpler. Remember, these are your unimportant accounts; you wouldn’t want them to be compromised, of course, but if they were then it wouldn’t be that big of a deal.

Let’s make a level 3 algorithm for a site called cars.com:

1. Last letter then first letter of the site (cars). SC
2. A word to be used for all your low level accounts. Add a single character of number substitution (i to 1) SCPubl1c
3. Use a special character. SCPubl1c$
4. Scramble as desired.

   $Publ1cSC

Again, you now have a decent password that’s not easy to guess and will give a bit of difficulty if someone gets one and tries to guess others. Of course, if they get one of these level 3 passwords and try to break your Secret (2) or Top Secret (1) passwords, they’ll be unsuccessful.

Conclusion

Using this system can increase both security and usability when working with multiple accounts online. Here are a few additional guidelines about this technique and passwords in general:

• Vary your algorithm for level 2 and 3 accounts regularly (I recommend at least once a year)
• Memorize your algorithm and write down your passwords on a card in your wallet. Don’t write down the algorithm itself. Just seeing a password created with it should jar your memory.
• For an extra layer of security you can consider leaving out or modifying a crucial part of the passwords you write down. This way, even someone with the card will not be able to use it. Be warned that if you forget what you changed, however, you’ll be very upset.
• Change your level 1 passwords often as well. With the strength that we’re using in this article I’d advocate once every 6-months.
• Many also use what’s effectively a level 4 account, i.e. a throw-away password that is used for accounts even lower in importance than level 3. Usually this is a static password. Just be sure to be very selective about where you use such a password, and make it as complex and long as possible while retaining its benefit of simplicity.
• An encrypted database is another option for managing passwords. I advocate this method over that one due to issues with losing or damaging the portable storage that the DB is stored on, in addition to not being comfortable with using such a system on a foreign computer (where necessarily you open ALL of your passwords to the system being used). It’s really a matter of personal preference, however, as both systems have their strengths and weaknesses.

I hope this has been useful. For any questions or comments, please feel free to contact me directly.: