Thursday, April 23, 2009

Security Hall of Shame: Lenovo

Summary: What is wrong with password rules at Lenovo?

The winner of today's Security Hall of Shame Award in the category Stupid Password Rules (subcategory: We want you to think that we support strong passwords, but we don't, ha-ha) is... Lenovo.

When you register at Lenovo IBM Shareholder Purchase Program, you are not allowed to specify the password (not sure why, but whatever). Once you submit the registration info, you will receive an e-mail with your user name and random password (not that smart to send password along with user name, but whatever). Now the logical step is to change the password to the one you can remember, so you click the My Account link (not easy to find on the page, but whatever), and then click Change Account Information (would be better to separate security info -- user name, password -- from regular account info -- address, phone, etc. -- but whatever).

Okay, let's change the password. This is not a financial site, so make a new password, which is:
  • 8 characters long, with
  • upper-case letters,
  • lower-case letters, and
  • a number.
This should be good enough, so save changes... and... o-ops, error:
"The password is too simple. It must contain at least two numbers."
Hmm, among the passwords I use, none of them has two numbers, but let me try this:
  • 9 characters long, with
  • upper-case letters,
  • lower-case letters,
  • a number, and
  • a special character.
This one complies with most password security guidelines, so save changes... and... da-ang:
"The password contains special characters. Only letters (a-z) and numbers are allowed."
Hmm, okay let's try this:
  • hello123
Save changes... and... no hay problema. Bravo, Lenovo! You know your security.

Now, kids, remember that Lenovo will lose its Security Hall of Shame Award when it changes password rules to:
  1. allow special characters (such as: +-*#@!~&%), and
  2. not require two numbers (this is not a bad rule, but it's not common).
See also:
What is strong password? by Webopedia
Strong passwords: How to create and use them by Microsoft

No comments: