I switched to a new health insurance provider this year after having had a different provider for about seven years. This required me to create a new online account in order to easily pay my monthly premiums. My overall experience with health insurance providers has been decent, but my experience health insurance issues online has been poor. I went in expecting the worst, and the “create password” step lived down to my expectations. I reprint the “create password” instructions below, exactly as they appeared:
Create Password Create a password to access the Member Portal. It must include the following: * Between 8 and 16 characters * Include at least one letter in uppercase and lowercase * Include one number * Include one symbol (!, @, #, $, %, &, *).
My password must be between 8 and 16 characters. This is short. Why such a short limit? I roll my eyes. While I generally prefer passphrases, I will go with a password if I am stuck with a 16 character limit.
There are additional rules beyond the 16-character password limit. We must include “at least one” uppercase and lowercase letter, one number, and one symbol. Now if you recall from my article on setting up a home server, I do not always read the fine print. In this case, I did not appreciate how particular the fine print was. I read these rules as simply requiring me to include uppercase and lowercase letters, numbers, and symbols in my password. I used my password manager, KeePassXC to generate a password that satisfied all four requirements. Imagine my surprise when the site rejected three random 16-character passwords with letters of both cases, numbers, and symbols.
After studying the instructions closely, I wondered if the site was insisting that I us only one number and only one symbol. I made a few alterations to one of the random passwords KeePassXC generated to ensure that the password included only one number and only one symbol.
This password was accepted.
I was dumber for having gone through this experience.
This site limits passwords to 16 characters (bad), requires numbers and symbols (I would prefer it did not, but fine), but demands only one number and only one symbol (dumb). Why? My guess is that it assumes that people will use terrible passwords like their pet’s name, their birthdays, or the same password that they use for all of their other services. So it tacks on the number and symbol requirements to make these insecure passwords marginally less bad. However, whoever was behind this abomination decided that people would lose their passwords if they had too many numbers or symbols, so you can only use one.
People who are modifying a bad password to meet these requirements will probably forget what they did unless they have some system for managing passwords. Having been one of those people once upon a time, the solution then is to just reset the password – which is easy enough but ultimately a waste of everyone’s time and resources. Of course, if these people have a system for managing passwords, they are probably not using that level of bad password. For people who have organized systems for generating and managing passwords, these requirements are annoying.
While I understand acknowledging that we live in an imperfect world and trying to implement a system to ensure that people who are inclined to use awful passwords make it marginally more difficult for third parties to get into their health insurance accounts, does this require dumbing down (or perhaps dumbing up) the process to make it more irritating for everyone? I think not. Why not offer and promote some good 2FA options to help people secure their accounts regardless of their passwords?