In light of recent cracking events there has been a lot of discussion about password security, including from me about how I’ve switched to 1Password. Today I was reading a blog post about how Electronic Arts hate strong passwords and it reminded me of a much worse example from my bank, NatWest.
NatWest Credit Card Services (not their online banking service, that is clearly a different division and imposes different restrictions) impose the most ridiculous restrictions I have ever seen for password security. They require your password to be between 6-8 characters and only contain alphanumeric characters.
They do at least, use the age-old method of protecting against keyloggers (except ones that take screenshots) by only requesting certain characters from your password:
But that makes me wonder: If they can query you for exact characters, are your passwords encrypted in a reversible manner? I wonder if anyone can shed some light on the incredibly brilliant security I’m sure NatWest have…
NatWest have no email address, but I’m planning on writing to them about this with a link to this blog post. If you bank with NatWest, I suggest you do the same (even if you don’t use their online credit card services) to express your concern about their security when they impose such stupid restrictions.
For other companies with stupid password restrictions (and even stupider ‘reasons’), see ‘London Midland on Password Lengths‘.