As I always try to do, i wanted to register my new device, download the newest drivers etc. Visiting bamboo.wacom.com, i followed directions and was asked to create an account for myself. Struggling hard with the absence of https and other issues, i decided to register the product anyway. Probably not the very worst information to loose control of anyway.
I entered a rather simple password as i usually do for starters (then changing them after registration), i got this on screen:
WOW! They require a 10 character length minimum password!
Rather perplexed with an instant feeling of .. happiness.., i registered with a much more complex password, which of course was 10+ characters in length. Additionally, the error message states their password policy i guess. I's even shorter than the one I'm planning to release on my blog as a "best practice" recommendation in the near future. :-)
KUDOS to Wacom for actually requesting 10 character length as the minimum. Doing that you're leaving most others in the dust.
Complaints? Sure. No SSL (HTTPS), and i didn't even try out to see if there were any complexity requirements hiding in there, or any other controls that would be optional or even mandatory to keep in line with what i would consider best practice.
I'm amazed, I've got to sleep now. FINALLY a provider of products and services does something good for the evolution of password security (without jumping to 2-factor or biometrics). WOW, and good night. :-)
Probably not the very worst information to loose control of anyway.
ReplyDeleteSince I don't know the information you had to enter in-order to register, (and thus can't gauge it's value), please take what I say with a grain of salt. That being said, I'm against sites which have a low value to the defender, having a strong password requirement. A majority of users only have one or two "strong" passwords that they use/remember. It's much more important for those users to "save" those passwords for important sites rather than use them everywhere. That way if Wacom, (or a related site), gets hacked, at least that limits the number of people who's webmail/online bank accounts would also be at risk.
I guess what I'm trying to say is that the chances of an attacker investing the resources to conduct a successful password cracking attack against wacom is probably very low, (and a majority of that could be avoided by a password blacklist). The chances of an attacker compromising the site vs. some other means, (such as SQL injection), is much, much higher. The key then is to keep an attacker from leveraging that data to compromise other important accounts. I think a strong password requirement actually increases the likelihood of that happening since people would re-use their "strong" password.
I find the entire issue of having to register your hardware device to receive support to be quite absurd. I mean, it's not very likely that you've copied the device from your friend (unless you work at a Chinese factory), so the odds are that, at some point, there was an exchange of money for the device, and the appropriate amount ended up in the manufacturers coffers.
ReplyDeleteIf a car manufacturer would try something like that ("Oh, you haven't registered? I'm afraid we can't give you any support."), they would have the Better Business Bureau (or equivalent agencies) on their asses in a heart beat.
That said, one way to rid yourself of the entire problem with regards to strong/weak passwords, is to require the use of OpenID or similar service. Of course, users will continue to choose the OpenID provider with the weakest security, but that's the user's own responsibility.
Instant win!