Cisco Systems, my former employer, has an external-facing website* to allow employees, and others like me that still receive benefits (e.g., insurance) from them, to manage their benefits online. I recently discovered that I didn’t have a username/password for their site, so I requested and received a temporary password via postal mail to establish my online account.
After finding out, by calling their telephone support line, that the temporary username to go with that password is my social security number, I logged in and, as expected, was told that I needed to change by username and password on the site.
I chose and entered a new username and password (twice each) and entered my temporary username and password to authenticate the change. Uncharacteristically, I hadn’t read the fine print, which included:
Apparently they are treating the user ID as somewhat secret, rather than just as an identifier. On the third try, my username change was accepted. But all this time, I was entering my old and new passwords, and as soon as the username was accepted, I got the following message:
Six to nine characters, in this day and age? Eight is a more acceptable minimum, and it’s not clear why there should be a maximum at all. So I shortened my password to nine characters:
Only six to nine characters, AND no special characters allowed? Why didn’t they tell me that before? Maybe I should have chosen a more random username!
At this point I can’t remember how many times I have had to enter my temporary password, but eventually I got a password that was acceptable.
You probably think I thought that this blog is about [In]Security Questions. But that’s of course what came next:
All three challenge questions used the same list of seven prompts, and I would be hard pressed to find three of the above that can be easily discovered unless I just make something up. But there’s a bright spot: The first question asks whether you want this form of recovery at all. I said “No” and didn’t have to do the rest. Hurray! It’s much better to do this than to fill in, and then have to manage and perhaps lose made-up answers to the questions.
So while I would give this site very poor grades for their username/password rules, if they have to have recovery questions at all, making them optional is wonderful.
* To be fair, Cisco contracts out their benefits management, so while it’s a Cisco-branded website, it’s really run by a contractor (Xerox Services, apparently).