Community Close
Login to Plimus Community
Not a Community member yet?
Get a Profile to:
- Raise Your Visibility
- Find Partners to Sell Your Products
- Find Partner Products to Sell
- Have Your Say in Blogs & Forums
Eliminate Stupid Password Rules
Passwords must be at least 6y characters long.
Passwords must have a digit.
Passwords must have a capital letter.
Passwords must start with a letter.
Passwords expire every 90 days.
C'mon. This is ridiculous! I cannot use anything like my normal passwords for everything else and I never can remember it because of your rules. Once I do, you make me change it every 90 days.
Then when I forget it, you reset it to something stupid, make us update it again, and make us wait for a confirmation email with a code we have to enter to reset it.
PayPal and my Bank don't have any such restrictions. Any password the user decides on seems to be good enough for them. If it caused them any problems, they would have changed it.
Why do you feel you have to govern our passwords? Let us decide how secure we want our password to be.
This Forum allows flexible passwords. Do you think anyone would use it if you had stupid password rules?
I almost left Plimus several years ago when you changed to this stupid system of passwords. It bugs the heck out of me and just makes logging in very inconvenient for your users. Is that what you want to do?
- Printer-friendly version
- Login or register to post comments
© 2001-2010 Plimus Corporation, Inc.
Check out this thread...
I agree with you, but this topic was addressed several months ago between several vendors and Plimus' staff here:
http://home.plimus.com/ecommerce/community/forum_topic/expiring-password
Since the passwords have only gotten stricter since the last discussion (previously didn't need capital letter but now we do), my guess is they're not going to budge on this issue.
It's really a shame because now I need to write down my Plimus password to remember it which ends up making it *less* secure. ;-)
Password Blues
Hi there Louis. Thanks for expressing your views.
I understand that password management can get exremely tedious at times but please bear in mind that these passwords give access to online payments information and are as sensitive as bank account passwords. We are trying to protect your ultimate security and for some vendors there are hundreds of thousands of dollars at stake.
Suggest you have a look at the free Last Pass service and perhaps Robohelp (fee-based Windows) as password management solutions that might assist you get to grips with password issues whilst maintaining security requirements.
Derek, Plimus
Complex Password Requirements Do Little For Security
Derek:
Yours is the ONLY company I deal with, other than the LAN at my place of work, that has password requirements of the sort that would require Robohelp or a sticky note on my screen.
You claim that Plimus is as sensitive as bank accounts. Yet my online bank account with the CIBC http://www.cibc.com has minimal restrictions on what you have to use, and does not expire them. My online brokerage firm is the same.
Even moreso, PayPal, which should be the most concerned with security of anyone, has only a minimum of 8 characters as its requirement, again with no expiry.
All you are doing is frustrating your users. You are NOT making your system any more secure, because there are so many more ways that the evil ones use than just by guessing passwords. See: http://palisade.plynt.com/issues/2006Aug/complex-passwords/
I reiterate: You should let your users decide how complex they want their passwords to be. You should not impose these rules on us.
When I signed up with you six years ago, you didn't have such rules. A few years ago, you imposed them. If you would have had these rules when I was looking for an e-commerce solution, this would have been a show-stopper for me. I would have gone elsewhere.
Agree
I have to agree. If the model for the change was to be on par with other financial institutions, you've gone overboard. My online banking (with a major bank in my state) does not have such rules nor do they expire passwords. Additionally, I have investment accounts with a major *global* investment company that allows online account management and also does not have these restrictions or expirations on their passwords, so I'm not sure the "we have vendors with lots of money here" argument works, as institutions managing literally *billions* of dollars are using less-stringent rules. Oddly, prior to these rules being implemented, no one was writing threads here asking for stronger security. Compare that to the amount of time you've had to invest responding to vendors after the changes were implemented. ;-)
At least allow vendors to recycle passwords, or make the expiration optional so vendors who don't want the annoyance can disable it at their own peril.
What's next? "In order to increase security, we've implemented a stronger, more secure password-protection mechanism. As of today, we have assigned a new random password to your Plimus account. In order to protect that password to the maximum extent, you will not be told what your new password is." ;-)
Talk about security worries...
I'd much sooner trust the security of my user IDs and passwords written on a piece of paper in my desk drawer before I'd trust them to a third-party application or online service.
Create a list of all the bank and financial web sites I use along with their usernames and passwords and store it all online with a company that could hire just about anyone to manage it? No thank you! I should think a non-expiring password is less risky than letting someone I've never met manage the information that grants complete access to my entire life savings and retirement funds! ;-)
Pass
Let's agree to disagree on this one???
Derek :)
Unfortunately, the squeaky
Unfortunately, the squeaky wheel gets the grease! ;-) If enough people continually complain, perhaps Plimus will eventually consider making some changes. Perhaps not and they are resolute to stand firm on this matter, but since they've chosen an unpopular position, they will need to bear the consequences of dealing with unhappy customers voicing their dissatisfaction (politely of course). While I can appreciate Plimus' position on this issue, you can't have it both ways: "We're going to do something universally unpopular, but we would like it if no one would complain about it." ;-)
I'm a squeaky wheel and I'm
I'm a squeaky wheel and I'm with swbrains on this one.
Try reading the Risks Digest about passwords.
Let me add my voice to the
Let me add my voice to the squeaky wheels.
We are the customers and we do not like these difficult rules.
Plimus is unusable because of silly password requirements
I'm regretting moving to Plimus, and the only reason is the uber-unreasonable password requirements. It's come to the point that I am not approving Affiliate requests at Plimus because I can't bother to jump through hoops to log into Plimus.
These are the steps I need to take to log into Plimus when I have an task that should take 30 seconds at the most:
1) Go to the login page.
2) Realise my password doesn't work any more
3) Use reset password link
4) Go to inbox for verification e-mail
4) Ah, finally I can log in
6) Damn *%*^*&% it says the password cannot be reused.
7) Don't want to create a new unrememberable password, so give up after long process with frustration.
8) Look for new keyboard on eBay and bandage bleeding forehead.
What's the point of having any features and services if you don't want us logging into Plimus at all? I haven't approved *any* affiliates at Plimus since 5 months because I can't log into Plimus.
Pick up a standard textbook on UX guidelines. Pick up a standard text on authentication. Do any of these say the correct way to implement authentication is to piss off your site users by making the site unusable? I can't even authenticate myself, for god's sake.
I'm too infuriated to make reasonable suggestions right now, but a lot of simple things come to mind:
1) ALLOW PASSWORD REUSE
2) Don't introduce a new point of failure by forcing people to write down passwords or use third-party software to remember them
3) Use multi-factor authentication only in areas of the site where necessary
4) Don't pull your requirements out of that place where the sun don't shine. A 6 character limit is reasonable, but "your password must start with a letter"? What's wrong if my favourite password were "6k5YUF2@lo0"?
Also FYI having this "your password must start with a letter" requirement makes brute-forcing that little bit simpler, since the attacker can narrow down the first character to a letter.
5) When you have big-ticket accounts, you can treat them differently. Perhaps send them an RSA SecurID token as one authentication factor.
Are you worried about people suing you if their account gets hacked into? I'm this close to suing you for undue mental distress.
Security Security Security
I completely understand your frustration and really enjoyed your post. However, our tech guys are adamant that this is helping make Plimus a more secure environment for the hundreds of millions of dollars worth of transactions that go through the platform each year.
I just know that your current emotions are nothing compared to how you would feel if someone got your password and your hard-earned money.
Thanks,
Derek, Plimus
Reinventing the wheel
Now, when I'm calmer, I can see the larger picture. Its seems to me this password policy is a side-effect of an overall misguided tech policy at Plimus of reinventing the wheel.
Where possible, code and ideas that have passed peer scrutiny should be reused rather than reinvented.
Plimus seems to ignore this simple guideline often - a case in point is this forum itself. Instead of customizing available off-the-shelf solutions, it seems like Plimus decided to roll their own. Sure, it's easy for smart developers to build your own forum - but it's also easy to overlook that established solutions have the advantage of evolution over a long time. They know the features users need, v/s the features the developer thinks the users need.
This leads to situations like basic features missing from Plimus' forum for a long time, and the users of the forum have to suffer till Plimus gets it 'right'.
Similarly I looked at a post from November about the Live Assistance not having a alert sound. If this was indeed true, it's a surprising feature for the developer to miss. This wouldn't have happened if Plimus had a good look at established live assistance software, or maybe even just implemented the best off-the-shelf one.
Coming back to the password policy issue - user authentication is not a problem faced only by Plimus. People have tried various approaches to this problem for many years, and after many failures, authentication has evolved to the current state.
It's just not right for Plimus to go off on a tangent and 'invent' a home-baked set of password rules rather than use industry best-practices.
It seems Plimus' rules are based on the assumption that their password policies will help with potential insurance or indemnity proceedings. Funny thing is, I'm not certain this will even further that cause.
What's happening right now is that Plimus' rules make it impossible for users to remember their password. This takes the onus of security off Plimus and onto the user's shoulders, as they now need to write down their password or store it with a third-party software or service.
The overall effect is however to reduce security, or, as in my case, to discourage legitimate use by users due to frustration. Moreover, any security expert will testify in court that such non-standard policies encourage behavior that is overall less secure.
From the insurance or indemnity perspective, it would be ideal to follow a median of the policy adopted by most banks, and stick to the exact terms. When you think you're adding a security feature, you might actually be subtracting from overall security.
From the user experience perspective of course, letting the user choose a 6+ letter alphanumeric password is more than sufficient rules for basic access. Other authentication factors can be introduced for critical functionality.
And anyway, most password leaks occur via keylogging, malware and exploits, not brute forcing (which you can prevent at the server-side anyway). Beyond the basic 6 alphanumeric characters, password strength is hardly a significant factor, neither is periodic change. Multi-factor authentication is definitely a factor, which you haven't really implemented much, though.
As far as quoting papers and essays go, here's a thoughtful essay that was linked to by Bruce Schneier.
"Forcing periodic password changes given today’s resources is unlikely to significantly reduce the overall threat"
Source: http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
I understand "your site, your rules" - but the thing to get is mostly it's not about the technology/features. I had an Asus smartphone a couple of years that I switched for an iPhone with lesser features than the Asus- but more usability meant I get more out of the iPhone.
I'm sure Plimus has a lot of awesome features for Vendors - which I'm not encouraged to explore because the site is unusable because of the messed-up authentication.
I'll leave with a suggestion, get some external U/X pros to take a look at your website and workflows, getting usability right is usually worth more than tens of 'features'.
and here's another utter
and here's another utter stupidity with the password rules, say I create a new password following the new rules, say it's Hb95;0x2g. I now have to enter a hint as well !!!! What sort of hint is going to remind me about a password like that? We all know exactly what will be entered into the hint field, don't we!
Passwords
Hi,
Sellers have the abiiity to choose the password so presumably you can construct a hint to go with it. They are not confined to machine generated passwords.
Derek, Plimus
LOL
Come on, man! A little attention while reading, please.
Poster above, you obviously
Poster above, you obviously know what you're talking about.
Pity Plimus completely ignored your worthwhile and valuable contribution in this discussion.
I wonder if they have the intelligence to comprehend what you're saying. To me it makes sense, and you bring up some valuable points that are clearly well thought out.
But no comment from 'derek'. Hey derek, do you even understand what this guy is talking about? I guess not!
More kludge
1) To change my user ID I am forced to change my password as well.
1b)The user ID can be changed too easily - but the user ID is required to retrieve a password. Leads to situations like mistaken changing of user ID, leading to account lockups.
2) Any error messages while resetting a password (For E.g. "This password is not acceptable because we have pulled out weird password rules from our ***". etc) should be displayed *before* the e-mail verification process, and not after. Otherwise the verification has to be done multiple times, which is insanely time-consuming.
3) Outgoing e-mail sent by the verification process is too slow - takes a lot of time to reach the inbox, as compared to anywhere else where it is instantaneous.
4) Off-topic, but still irritating: CAPTCHAs should be asked once per session, not every time I preview or edit the same post.
Passord Rules
Hi there,
I have passed your comments on to our tech team.
With respect to the CAPTCHA settings we have had a lot of spam link posts and this is a temporary measure to help combat the problem. Hopefully we will be able to reduce this in the near future.
Thanks for your feedback,
Derek, Plimus
YOUR IT GUYS DON'T KNOW THE FIRST THING ABOUT DEALING WITH PEOPL
You guys have the most STUPID, RIDICULOUS, ANTIQUATED PASSWORD SYSTEM EVER.
I am a full time online marketer.
I deal with companies like:
EBAY
AMAZON
CJ (Commission Junction)
Clickbank
GOOGLE
and more...
Let me tell you something...
NONE OF THEM HAVE A STUPID, NON USER FRIENDLY PASSWORD SYSTEM LIKE PLIMUS DOES.
Seriously.
Nobody
Change the password every 90 days?
Can't use a previous password.
Have to verify confirmation code in email that takes 3 minutes to arrive before you're told you can't use a particular password because it doesn't meet the 'rules' that some stupid IT guy has come up with.
REDESIGN YOUR SYSTEM OR YOU WILL CONTINUE TO ANNOY USERS.
IT'S THAT SIMPLE.
How many people does it take before you GET IT?
EBAY. GOOGLE. AMAZON. PAYPAL.
They are big names
They also don't ask you to change your password every 90 days.
NONE OF MY ONLINE BANKING PASSWORDS REQUIRE THIS.
Nobody else does this.
This is not a top secret government CIA organisation. It's plimus.
Get a grip. Your password system SUCKS.
STOP LISTENING TO YOUR IT GUYS. THEY OBVIOUSLY HAVE NO IDEA ABOUT THE REAL WORLD AND WHAT REAL PEOPLE DEAL WITH ON A DAY TO DAY BASIS.
Seriously, listen to what we are saying.
The end.
RULES LIKE THIS MAKE PASSWORDS LESS SECURE
Another poster touched on this.
Because you require the password to be changed every 90 days, people naturally will WRITE IT DOWN or NOTE IT SOMEWHERE.
That makes the system LESS SECURE. NOT MORE.
Think about it. Just STOP, and THINK ABOUT THAT FOR 1 MINUTE.
Seriously. Stop. Think. Less Secure.
YOUR VENDORS MISS OUT.
You know what. I'm not going to use Plimus until you change this system. I have other people i can use on different networks. They pay about the same.
I wonder how your Vendors feel about that? not just me, but ALL THE PEOPLE WHO AVOID PLIMUS because they simply forget their 'made up' password they used after they ran out of the all the memorable passwords a long time ago?
BAD EXPERIENCES LEAD TO LOSSES OF REVENUE?
Do your IT GUYS UNDERSTAND THAT?
probably not. It doesn't sound like it.
Sorry, Plimus. I'm dropping you until you redesign this. I'm only one person, i don't matter. But think about all the other people that give up on trying to deal with you because of your stupid, insecure and non user friendly "SECURE" (hahaha what a joke!) PASSWORD SYSTEM.
Adios! & Good luck staying in business!
Plimus Position on Password Access to Accounts
Just to reiterate what we have said before on this subject:
The password renewal process is based on recommendations and requirements of the Payment Card Industry.
Some clients have many $100,000s passing through these accounts each month and accordingly Plimus has to treat them with the same amount of security attention that a bank would in respect of a substantial online banking account.
Obviously some clients view this risk differently to others but we have chosen to take a cautious and responsible attitude for the benefit of our Vendors, Affiliates and of course their customers.
To accept previously used passwords would not conform with security standards in this industry.
Derek, Plimus