We went to visit my sister, who just turned 40, this weekend. At 3am or so, it was only the four of us left at the party (us and our cohabs) and she insisted that I show her how to play some poker online. I’m sure that wasn’t the most exciting time for Lori, but we loaded it up anyway. This is not about what I tried to teach my sister. This is about how, because I logged on to Stars from a computer that I’m not sure doesn’t contain keyloggers or other malicious software, the first thing I did when I got home was to change my Stars password. That’s when I made a discovery.

I’m not allowed to have a password that doesn’t start with a letter; A-Z or a-z. And they claim it’s for MY security.

That’s pretty dumb.

Now, I don’t think they get a lot of cracked accounts through brute force attacks (meaning that someone tries random passwords). The most common ways to get your account stolen I bet is through keyloggers or, probably more common than people think, by someone else looking over your shoulder while you’re logging in. So while password strength isn’t as absolutely important as some would have you think, it’s still an added security.

What constitutes a good password? That it’s random. That’s all there’s to it. Some random combination of ASCII-characters in a somewhat randomly long string, and that’s all. Here are some monkey-keyboard passwords:

(nasc 127p8yh

½!Y(å bcvuåh

Jäosac8å

0ä9SC ^J

… etc. These aren’t even very random, because when people “randomly” hit keys on their keyboards, we tend to follow some kind of a pattern, subconsciously. For instance, I think it’s pretty unlikely that I’d ever “randomly” start with a blank space. And every pattern reduces the complexity of the password. For instance, did you know that the German WWII crypto machine “Enigma” was cracked in part because the Germans had decided that, for security reasons, the configuration (I’m simplifying this drastically in order to make a point - the crypto geeks who feel like arguing: bite me) was not allowed to be the same from one day to the next. They had to change it. Ironically, this was one of the things that made the code crackable. The mathematicians in England knew that whatever today’s password was, it had to be different from yesterday’s! This reduced complexity just enough to make the code crackable.

So perhaps you can see what my problem is with Stars’ restrictions on what the first character of my password must be. In their attempts to make my password more secure, they’re making it a lot less secure. I don’t find this to be a problem in practise, but the principle of it bothers me.