Last night as I was creating a new account on a shopping site, I ran into an issue. As I filled in my information, I noticed the password was restricted to “8 to 10” characters. This immediately made me hesitate a bit to continue, but I dialed my generator down to 10 characters and continued on anyway. After 3 attempts to create an account returned an error (displayed as a red bordered div with a lighter red background, but no text whatsoever, without so much as a flag on the fields) I had my partner look over the form to see if I was somehow missing a required field … and she wondered if it was that I was using special characters in my password.
At that point my account was created, so I finished my transactions and sent in a comment to the site manager via the feedback form explaining my security concerns. Short version: this limitation steers users towards seriously weak passwords! A bit more background, here. I’m a web developer. While I’m not a security specialist, I do know a bit about the subject, how encryption works, and strong passwords. I will certainly entertain arguments about what makes a strong password, but 8-10, case sensitive, alphanumeric characters, doesn’t even make the running.
Today I received an email from a customer support rep (some information redacted). One important point, most of (Business)'s customers identify as women:
Dear (My Name Here),
My name is Tony, and I will be assisting you today. Thank you for
contacting (Business) Customer Support.
The use of the latest cutting edge technology ensures that your shopping
experience will be safe and secure. We encrypt your personal
information, including your name, address, and credit card number when
transmitting over the Internet using Secure Socket Layer (SSL) security
software. We constantly update our security procedures and enhance our
site to meet the very latest encryption standards. We retain a third
party security firm to audit our procedures to ensure compliance with
these standards. All of your sensitive information is scrambled before,
during and after your order is placed on our site.
You may notice an unbroken key or a closed lock at the bottom of the
page when you enter our “check-out” page. This means that your browser
has opened a secure connection with our site! You can also check by
looking at the URL line of your browser. When accessing a secure server,
the first characters of the site address will change from “http” to
privacy and your security when ordering online. (Business) is a highly
ethical company and requires the highest standard of conduct from our
employees and business partners. As members of the Direct Marketing
Association (DMA), the largest association of consumers and businesses
interested in direct marketing, we adhere to the Guidelines for Ethical
Business Practice, Shopping and Consumer Rights and the DMA’s Privacy
Initially, I read this with a kind of “yeah, yeah, nothing useful here …,” but then it hit me: Holy crap, I think I’m being mansplained! The first paragraph really has a kind of “there, there, don’t worry your pretty little head” feeling to it, but when they started to explain to me how to confirm a web page is (supposedly) secure? Yeah, I might be passingly familiar with the concept, but what does this have to do with their weak password policy?
So am being mansplained here? This is certainly most likely their canned response to security questions, but it still feels very insulting. I’ll admit my own bias here, as Tony could be female or genderqueer, but I still feel very much like I’m being talked down to here, especially since this is pretty square in my own field. I actually considered cancelling my order and deleting the account. I may still delete the account, but I’m kind of torn on the order … that’s still at least a maybe, though.
So, happy mutants … thoughts? Options? Hell if nothing else, I guess it means I’m genuinely being accepted as female (or non-male), at least for some purposes.