Your Password is Too Secure


For obvious reasons, Microsoft employees are asked to refrain from bashing other teams or products in their blog posts. But with the dismantling of the Money product line a couple years ago, I feel the statute of limitations has expired and I can share a useful lesson.

At one point, I changed the password for my bank, and then went in to update the corresponding password in Microsoft Money so I could continue to download statements. Unfortunately, upon entering the password, I was met with this error box.

Here is a product, which is charged with protecting my most important data, and it is telling me that it can’t accept a password which any typical computer-savvy user would consider a normal “strong” password. After seeing this message, my brain stopped working. If anything, a product which deals with access to someone’s money should favor the uber-paranoid side of the security fence. But here was a product that actually limits a password’s complexity and forced users to a weak one.

I can understand reasonable limits on length as there may be storage or processing concerns (I’ve run into web sites where an eight-character password was too long, and no, that is not a reasonable limit). But if you are working on the password-processing feature of your software, gimping a password’s strength is something that should be avoided at all costs.

As an aside, you can use this utility to help gauge whether or not your password is strong.

Comments (3)

  1. Weak = Bad, storing passwords in plain-text = Worse.

  2. Weak = Bad, storing or transmitting passwords in plain-text = Worse.

  3. Stuart taylor says:

    Special characters can give a false sense of strong. http://m.xkcd.com/936

Skip to main content