Password requirements FAIL


I went to sign up with the DMV website to put in a change of address.  After providing some info off my license and some other bits, they sent a link to the page shown above.

Only eight characters?  Not case-sensitive?  Really?

It also barfed on some of the non-alphanumeric characters KeePass wanted to use…an unstated requirement, apparently, is that only the three non-alphanumeric characters given are acceptable.  I’m used to giving websites passwords that are 20 or more characters of random gibberish to provide plenty of entropy; the limits imposed by the DMV website only allow about 50 bits of entropy, which is fairly weak security.

The length limit suggests that perhaps they’re storing raw passwords in their database, as that’s the only reason to have a length limit.  Even Ashley Madison probably didn’t make that kind of rookie mistake.

(Of course, no post on password strength issues is complete without this: