I’ve never been one to use the same, simple password for everything, like many FBI agents and possibly 92 percent of Sony customers. For the better part of a decade, my strategy was to use a ridiculously long “secure” password for important sites, and a simple (but nondictionary) password for the rest. Then a number of years ago I switched to the much more robust strategy of using a complex sequence combined with parts of the website name following some formula. I didn’t want to make it too complicated, though, so I limited the password to eight characters, as one of my banks had this limit on passwords.

Recently I decided to switch to a much longer base password, and also make the formula more complicated. Taking after a friend, Erik, I started documenting the password restrictions for many of the websites I use. I was glad to see my new password formula would work for most of my frequented websites, but unfortunately I’ll need to modify it for five of the websites. And of course, these five websites are all banks! Leave it to the banking industry to disallow secure passwords!

Capital One password restrictions

The main problem is, of the banks I checked, most don’t allow just any special characters. Some allow a few, but of course the special characters in my password aren’t among the allowed ones for the most part.

The good:

US Bank

• For your protection, passwords must be 8 to 24 characters and include both letters and numbers.
• Spaces are not allowed.
• You may also include special characters (such as %, $, &).

The bad:

Chase

• Must contain 7-32 characters
• Must include at least one number and one letter
• Cannot include special characters (&, %, *, etc.)

Discover

• 5-10 characters, letters and numbers only

American Express

• Must be different from your User ID
• Must contain 8 to 20 characters, including one letter and number
• May include the following characters: %,&, _, ?, #, =, -
• Your new password cannot have any spaces and will not be case sensitive.

Capital One

• 8 to 15 characters, not case sensitive;
• Use: Aa-Zz, 0-9, ( - ), and ( _ );
• at least 1 letter and 1 number;
• no spaces

University of Wisconsin Credit Union

• Passwords must consist of 6-10 keyboard characters and cannot start or end with a space.
• Choose a mixture of letters, numbers and non-alphanumeric characters (@, %, $, #, &, etc.)
• Use capital letters sporadically.
• Select an 8-digit password or longer.
• Think of a mnemonic device to remember your unique password.
• Change your password frequently.

I found US Bank to be the only one that allowed all the characters in my password, and luckily the password uses just fewer than their 24 character maximum. The rest were fairly strange. Chase and Discover, why do you disallow any special characters?! Capital One only allows two different special characters, and American express allows seven. I really do not understand this.

From a programming perspective, I can see a vague desire to prevent stupid programmers from implementing a buggy password form that might allow an SQL injection attack… and perhaps banks think they are preventing this by restricting special characters? I would think it would be little to no extra effort for any bank, or any website for that matter, to allow passwords of any characters and any reasonable length (say, less than 1024 characters?).

I would like to see the above restrictions reduced to: at least 12 characters, including mixed cases and at least one number and special symbol. Anyone should be able to come up with a password to fit that, even if he uses the same password everywhere. He would be no worse off since he’d surely be the type to use the same password everywhere anyway.

Interested in strategies to make secure passwords?

Many online sources explain variations on the “base password + website name” strategy. Some suggest using first letters of words in a phrase to come up with the base password, and others suggest mangling a word by changing some letters to numbers.

Court order-proof password: the password grid. The idea here is you carry around a small printout of a grid of random characters, and you memorize a pattern to trace on the grid mentally to generate your password. You use this until you begin to remember some of the password. That’s the signal to switch to a new grid. This allows you to destroy the grid any time you need to make it impossible for anyone, including yourself, to retrieve the password.