At the moment, I’m having a ‘discussion’ with British Airways on Twitter. Sadly, it’s not the first time I’ve had a similar conversation with a company.
Here’s the initial part of the problem – when you try and change your BA password, it gives you the following guidance for the password…
So, the password has to be at least 6 digits and be numbers and letters. No symbols, mind you, which is a negative point. So, I put in a new password, generated for me. 49 digits no less. It complained..
The password you have supplied is invalid. Passwords need to be at least 6 characters in length and use a mix of letters (English A-Z) and numbers.
But my password did abide by those rules.
On a hunch, I reduced the password down to a length of 24 characters. The same error. So I tried 15 characters. This time it was accepted.
I contacted BA to explain that they should really mention this which, I have to say, they accepted. However, I also suggested that maybe allowing longer passwords would be nice. And this is where the ‘discussion’ then started.
We're wondering how long it would take to crack a 15 digit password? Some sites online suggest a very very long time. ^SR
— British Airways (@British_Airways) October 18, 2017
And this is not the first time I’ve seen this argument, which seems to give companies an excuse to impose short-length password on users, without understanding how they may want to actually set a password up.
Password generators are great but their long, randomised lists of characters are really difficult if you want to remember them, or better still, type them in elsewhere where you may not have a password manager to hand (think the next time you have to type your Netflix password into your TV via a remote control – do you want a randomised password, including symbols?). So, one way of creating a great, secure, password is to use words. Indeed, the generator in 1Password will already do this. So you can create passwords such as ‘yarrow-partaken-bayonet-unhitch’. Nobody is going to guess that. Add some numbers and symbols in for good measure and you’ve got a secure password, which can be easily typed in elsewhere.
But that doesn’t abide by 15 characters. In fact, 1Password won’t even generate such a password that short (well, it goes by words rather than letters, and the minimum is 3 words and they’re rarely under 15 characters). So, are BA right? Yes, even 12 characters completely randomised (INCLUDING SYMBOLS) is pretty uncrackable. But if a user wants to use a word method then this is no longer the case. And why shouldn’t we? In fact, why shouldn’t we be allowed to have a 50 digit string of randomised characters if we wish? What’s stopping BA from actually doing that?
The thing is, excuses such as the one being used by BA is not because they think we’re secure as we are but because they’ve imposed an arbitrary limit, for no particular reason, and are now scrabbling around for excuses to justify it.
In a world where data leaks are ever-present, why are companies trying to impose limits on how secure we can be? Maybe once they have their own house in order we can discuss such things. But, right now, BA allow you to generate a 6 digit password of numbers and letters, which is certainly not good enough. That minimum length needs to be longer and they need to accept symbols as well. Then, maybe, we can argue about maximum lengths.