Adsense

Friday, August 10, 2012

Why My Netflix Password is My Weakest Password!

EDIT: Had the occasion to change my Netflix password again recently. To my surprise, they now allow up to 60 characters. My Netflix password is no longer my least secure password!..

I just spent the last hour and a half updating all of my passwords. Not a favorite task of mine, but something that definitely needs to be done occasionally. The task was pretty uneventful but something really annoyed, so I thought I would share. While updating my Netflix password, I got the following error.
Netflix “Your password must contain between 4 and 10 characters”
The Hell You Say!!!
I was able to enter my new password into EVERY site that I tried, except for Netflix. Every bank, utility and online service accepted my password, but for some silly reason Netflix requires users to enter a password with a  length of 4-10 characters.
I definitely understand setting a minimum password length to force a standard for password strength, but why would you ever impose a maximum length on users? Rather than being able to enter my strong password of 14 character, I have to shave off the last 4 just to conform to Netflix’s password rules. My password is now weaker and I’m much more likely to forget it because I was forced to make it different from all my others. *sigh*
And that, is why my Netflix password is my weakest password.
Netflix Fail

4 comments:

Anonymous said...

It doesn't make a lot of sense, especially since sensitive bank information is stored on the service. Also, I think you should use a different password for each site, and at least for your bank especially. Take a look at 1password or other password managers if you find it hard to remember lots of different passwords.

Paul Fox said...

I have different passwords for every site, but they're built off the same base password. I do use KeePass and would use 100% generated passwords, but its sometimes nice to be able to type passwords directly into a mobile device from memory rather than using an app.

Either way, whatever password strategy you use is complete garbage if service provides (like Netflix) constrain the maximum length of your password. It's just plain silly IMHO.

Unknown said...

tbh, enforcing a maximum password length has forced you to use a different password on your netflix account. Be happy in the knowledge that whenever Netflix gets hacked and loses their db, the password you have there will be different to the password you use everywhere else (i.e. the attacker cannot log into your gmail or something equally devastating)

However, be less happy in the knowledge that your password on every other site is the same and if that password ever gets leaked, regardless of how long it is, you're screwed.

Face facts, you need to use a different password on every site.

Take the site URL and use it as part of your password.
i.e.
first domain name character (b)
random letter (X)
second domain name character (l)
random number (9)
TLD (couk)
total characters in domain name (8)
so your password is:
bXl9couk8

Obviously you want it to be longer, but in all reality that will survive a dictionary attack, will take a while it if it's brute forced and even if it is leaked it can't be used on another website and you will always be able to remember it (so never need to use a service like lastpass and put all your eggs in one basket).

Paul Fox said...

Thanks for the great comment. It's great advice and I'm sure many users will find it very helpful!

Fortunately, I already do something very similar with all my passwords. Unfortunately, the Netflix password length limit still makes it my least secure password. While you give a lot of great advice, you still don't address the point that forcing a password length limit of 10 characters makes for over-all less secure password...