Today I was going to login to the Citibank website to check out my credit card activity and I was told to create a username instead of using the credit card number to login. Cool I thought, at least I don't need to remember the credit card number when going in anymore. So I followed the steps to create a username and password.
So I punched in a username, then I entered the password using their virtual keyboard (to stop the spoofing attacks) and I pressed continue.. then I was greeted with the message the USERNAME you have chosen is not strong, please follow the security guidelines.
So I took a closer look at the fields to see what they mean by a strong USERNAME... then I noticed it's the SAME guideline for the password.. which are..
• 6 characters or more, with at least 1 alphabet and 1 number
• May contain the following special characters @, . and _
• Cannot contain 3 identical characters in a row (e.g. alpha111 or aaa125)
• Cannot contain 3 consecutive alphabets or numbers in a row (e.g. abc269 or alpha123)
Which just made me go... WHAT THE HELL? Instead of a simple username like weiminchanz and then followed by a complex password of l3t1tb3th3w4y I have to make a complex USERNAME as well?!?!? w31min8i8v7 don't they know if you make the user have to remember more complex stuff then they're gonna have more of a reason to stick it under their keyboard?
It seems that in their blur of thinking that complex=secure the people behind the design of the security system forgot WHY passwords get leaked in the first place. Which is mainly... people have bad memory!