# Monday, 06 November 2006

Today I was going to login to the Citibank website to check out my credit card activity and I was told to create a username instead of using the credit card number to login. Cool I thought, at least I don't need to remember the credit card number when going in anymore. So I followed the steps to create a username and password.

So I punched in a username, then I entered the password using their virtual keyboard (to stop the spoofing attacks) and I pressed continue.. then I was greeted with the message the USERNAME you have chosen is not strong, please follow the security guidelines.

So I took a closer look at the fields to see what they mean by a strong USERNAME... then I noticed it's the SAME guideline for the password.. which are..

• 6 characters or more, with at least 1 alphabet and 1 number
• May contain the following special characters @, . and _
• Cannot contain 3 identical characters in a row (e.g. alpha111 or aaa125)
• Cannot contain 3 consecutive alphabets or numbers in a row (e.g. abc269 or alpha123)

Which just made me go... WHAT THE HELL? Instead of a simple username like weiminchanz and then followed by a complex password of l3t1tb3th3w4y I have to make a complex USERNAME as well?!?!? w31min8i8v7 don't they know if you make the user have to remember more complex stuff then they're gonna have more of a reason to stick it under their keyboard?

It seems that in their blur of thinking that complex=secure the people behind the design of the security system forgot WHY passwords get leaked in the first place. Which is mainly... people have bad memory!

Note that you can Post As GUEST as well.
blog comments powered by Disqus