Worst possible password policy ever
contest.
Simultaneously, I am adding car2go.com as our first contestant.
Before we start, let me add that I totally adore their service. Car sharing is a brilliant idea, it helps me keep independent of public transport while not having to maintain and pay for my own car, and it is environmentally sane. Plus, it is a huge testament to the awesome possibilities that the internet has to offer.
The restrictions, as per their website, are the following:
Passwords must...
- be between 8 and 25 chars long
- start with a letter
- contain at least one capital and one lowercase letter
- contain at least one numerical digit
- not contain combinations of the user's first/last names or the company name ('car2go')
Seriously. I am not bullshitting you. That's their rules.
Okay, I'll admit that the last one actually makes some kind of sense. The first part of the first one does so, too.
But the others?
The most glaring issue is the maximum limit on password length. The only explanation I can come up with is that they store cleartext passwords, which, considering that they take your bank account data, would be such a tremendous security issue as to make their whole service unusable.
But assuming that they do hash (and, depending on algorithm, salt) their passwords - why on earth would anyone limit them to 25 chars? To safe bandwidth? To avoid DOS attacks? There are much better ways to do that. It doesn't make any sense at all.
But more than that, I think that this points to a much much more general, ongoing issue.
See, we - we ITers, nerds, geeks, coders - have gotten used to, and have as a consequence gotten our users used to SHORT PASSWORDS. Or, to be more precise, to PASSWORDS. Instead of PASSPHRASES.
Now, I'm not a mathematician. But I'm fairly certain that the first line of your favorite Klingon haiku contains way more of that Sacred Spice... err.... I mean, that Sacred Entropy... than your cat's name in L331speak.
Entering a phrase is easy. Remembering a phrase is easy.
Why on earth did we go for passwords?
So we didn't have to add quotes when we passed it through pipes, perhaps?
I don't know. But it was a bad, bad, BAD decision. Everyone keeps trying to come up with weird combinations of uppercase, lowercase, digits and special chars, and of course then they forget whether it was 'p@r51ngL1f3' or 'pArS1ngL1f3' this time. And then they give up, and revert to using their spouse's birthdate. Duh.
This, folks, is madness.
But the real headscratcher, of course, is the rule to start a password with a letter. Did they imagine their passwords to be C identifiers? Do they not quote them? Do they use them as method names? WHY ON EARTH would a coder care whether the user's password starts with a letter or a digit?
It's a bit like thinking about the code in the PHP parser that distinguishes between a language construct and a function, so it can reject 'empty(foo())'. It's a bit like the Great Pit of Carkoon. You just don't want to go there.
So, if you happen to work at car2go, maybe you can send me a good explanation. I'm all open to revoking my points and praising your logic instead.