Subscribe to AMTTI!

• Recently Written

  • Memo #15 — Blodget says: Online Display Ads Will Fall Sharply In 2009. I say “Good”
  • Memo #14 – Get your war on is now animated
  • Memo #13 – I’m doing it wrong?
  • Memo #12 – Tackling the hard problems
  • Memo #11 – Why DPI makes me say WTF
  • Memo #10 – How not to design for security
  • Memo #9 – Launch early and launch often
  • Memo #8 – A quick note on website heatmaps

• Categories

  • Annoyances
  • Business
  • Internet
  • Internet Governance
  • Marketing
  • OPP
  • Personal
  • Startups
  • Uncategorized

• Archives

  • October 2008
  • July 2008
  • June 2008
  • May 2008
  • April 2008

• Blogroll

  • EveryDNS
  • OpenDNS

Just a quick memo on how not to design for a secure computing environment. I got the following message when logging into my commercial banking website.

Password Guidelines
Passwords must:

• Be six to twelve characters
• Contain at least one number
• Contain at least one letter
• Not be identical to your first name, last name, company name, company ID, user ID, or your previous six passwords
• Not use the names of the months (example: march123)
• Not repeat the same character three or more consecutive times (example: 2kaaa3, 0000abe49)

They also make you change your password every 60 days. Do you know what this results in? Me writing down my password on a piece of paper next to my desk. Seriously. That’s how stupid it is. Oh, did I mention that if you fail your login three times they will lock-out your account?

Needless to say, this is not how you should be developing secure web applications.