Sunday, January 10, 2010

Password strength (part two)

I’m currently working through the horror that is the UK’s online tax self-assessment process, a process which prompted to lodge a formal complaint this time last year (which covered an A4 sheet, and ended with: “I have never encountered such a poorly designed, implemented and managed online service in my career; anyone in working in the private sector responsible for such a service would have been fired for its delivery. Please pass these comments on to whoever was responsible and / or accountable for this fiasco.” To their credit, they did send me an apology.)

Nothing changes, apparently, and so I have had to go through the whole process of acquiring a new user id (twelve digits), and then to apply for a new password (another twelve – letters and numbers this time). I couldn’t do it online, as the tax office had an email address that was ten years out of date, and were unable to change it on my behalf. So – three weeks later, I have my new user id and password, I log in, and immediately go to the “manage my account” section to update my email and change my password.

I am prompted at this point to set up a “second password”, which I assume is a bit like a password reminder, which I think might be a good thing. And this is the screen that greets me:


Just in case you can’t make it out, the password restrictions are as follows:

  • contain 12 - 20 letters and numbers
  • not contain any spaces
  • contain at least one letter and one number
  • not contain the word 'password'
  • not contain the same character repeated consecutively more than three times
  • not contain consecutive sequential numbers (eg "34", "67", or "87")

What is going on with these people – why is the Government so bad at this?

(Needless to say, the easiest solution is to pay an accountant to do it for me. Expect part three in this series in approx. twelve months time.)

[Update: I decided to do it anyway, just to see what happens, and got the following:

2010-01-10_1136Give me strength.]

No comments: