Password Complexity

14 Nov 2006

This looks like a really old post (I mean, it's from 2006 for goodness sake). Stay for the retro vibes but be aware any information in this post is likely way out of date.

It’s that time of year again and I’m on the hunt for a good car insurance deal. Not wanting to repeatedly add my details into a dozen or so sites I thought I’d make use of one of the many comparison sites to do the leg-work for me. All good so far, until I had to create a password to go with my personal information. Now most sites stipulate a pasword between say 6 and 12 characters, sometimes requiring letters and numbers if they’re being concious about security. Not so insuresupermarket.com. No, they require exactly 8 characters, letters and numbers, and no characters to recurr more than twice. I have to say I was hard-pressed to come up with a password that I’d remember which matched these tight requirements. This coming at the end of a long form-filling exercise is not the best way to garner repeat customers.

Ironically I now can’t find anywhere on their site to retrieve a saved quote.

Browser alert box which says your password must contain exactly 8 characters and a whole lot of other complex rules

Not only that but their form validation only validates one field at a time, meaning that if you miss a couple of required fields you can end up having to resubmit the same form several times.

Thank goodness this is a once-per-year event.

Response from insuresupermarket

Andy Haigh, Insuresupermarket Product Manager, kindly responded to this post:

Adam, I agree with your concern over the password complexity that we use on our Motor Insurance site. In fact we have recently being making changes to improve this and this will be going live very soon now. However, let me explain why we have such tight constraints on our password and what it is used for:

We use the password that the user enters for 2 reasons:

for the user to retrieve their saved quote from some of the insurers sites

we also email you a link to our results quote page and the password is used by the user to access this

The issue that we face as an aggregator, is that the insurers use a range of constraints on their password validation. This means that the password our user selects needs to meet the password constraints of ALL the insurers where we pass through the password from our site to the insurers sites. It would be much nicer if the insurers used a common set of validation rules.

The improvements to the password question went live yesterday (16 Nov). We now just use the password so that the user can retrieve their emailed results.