Worst Practices at Big Web Sites

See overview of password managers + Making a Strong (Highly Secure) Password.

The stupefying and unfortunate situation is that the very web sites for which a rigorous password should be used often require the use of low quality passwords.

Password restrictions at Schwab.com

Shown at right are the Schwab.com password restrictions as of late 2014. No more than 8 characters, no symbols or punctuation.

The restrictions mean that a good password cracker with appropriate hardware could crack many passwords in under a day (a good password cracker doesn’t proceed randomly, but by intelligent combinations of characters).

In Schwab’s defense, an account is locked after some number of failed login attempts. And if done right (Schwab does not say) the passwords would be stored as one-way hashes (only), along with appropriate 'salt' values and with the username incorporated. But with such dumbed-down password restrictions, one has to wonder if the whole thing is a swiss-cheese of worst practices.

Observe also the ludicrous and irresponsible suggestions like “kev6in” (a name with a digit in it): hacker OMG heaven. Easily guessable if the person or relative of that person is named “Kevin”. If MPG can think of it, you can bet that hackers and crackers are a lot more smart about it.

Schwab ought to be red-faced ashamed of both the limitations and the suggestions. This is security negligence, or put more diplomatically, an abject failure to follow best practices.