cancel
Showing results for 
Search instead for 
Did you mean: 

Scary Password Limitations

When changing my password for the online portal, I am presented with this message:

 

Must contain one upper case, one lower case and either a special character or number. Must not contain any of the following characters: ~ ; < > " & [ ] { } ( ) space and the word script or userid.

 

In modern security practice, this is an abomination. A user should be able to use any characters that he or she desires. Beyond that, not allowing the words "script" or "userid" honestly makes it sound like you don't take security seriously. Any modern user authentication system would not have either of these limitations. Are your user authentication and password storage systems up-to-date?

1 Comment
Sightseer

MORE INFORMATION

 

The National Institute for Standards and Technology, a U.S. Government entity, publishes recomendations for password composition. You can find their recomendation, as of June 2017, here: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

 

I'd suggest that you work towards implementing the above guidelines.