Log in

No account? Create an account

Previous Entry | Next Entry

Our Password Security Changes

I know some of you guys have been complaining about the new message you get when updating your journal saying your password is insecure. Please believe me when I say that we do not have other options when trying to protect account security at this point. Running some statistics we saw that many users share the same password as others, thus creating havoc for our abuse team in terms of account break-ins; no fun for everyone. We will be talking more about this in our News post on Monday, but I wanted to link to a reply to a comment I just left explaining bits of our password policy a bit more.


Basically our requirements are the following:
Cannot include your username
Cannot include your email
Cannot include your display name
Is not found in the English dictionary used by CrackLib
Must contain one digit or piece of punctuation (new)

We've also updated our CrackLib dictionaries to include 415 new words that we have found to be quite common passwords. While we don't think this will solve all of the problems, we plan to look at this again in about a month to see what sort of progress has been made. We also will be forcing users with a password that CrackLib does not approve of to change it. The messaging with this further explains the reasoning and I hope our News post will also do a good job of addressing this; we all know it will piss off a good deal of users. In the end though, these changes are not just to help reduce abuse case load, but to protect you and your account's security. I would like to hear if you run into specific issues with all of this where you feel the system is not acting correctly. While I know that I cannot appease everyone with this, I at least ask you all to give us the benefit of the doubt that we aren't just trying to screw you or make your life more difficult.


Oct. 28th, 2005 11:00 am (UTC)
Wow. I am really surprised, but there has been almost no kvetching on my flist. Which is unusual, because kvetching is sort of the mothership for my flist.

(And, hey, who knew that my ten-digit, sentence-formed letter/number/symbol password was insecure?)
Oct. 28th, 2005 11:48 am (UTC)
There are a couple of pws that were like that. It was fun a couple of weeks ago when some clever fellow *cough* decided to try some of the more common ones against users' accounts.

Since you're former AT, you'll get this:

I beat the record of most AP in a single day.