Security – or censorship? AT&T bans “obscene” passwords

Most security professionals find passwords to be enough of a pain – given the challenge of remembering multiple, hard-to-guess strings of characters – but now AT&T seems to want its users to keep them clean, too.

A “password restrictions” page for AT&T users has come to light which says, “The password can’t contain the words “password”, “admin”, “pa$$w0rd” or other common words. The password can’t contain obscene language.”

It’s not clear what language the U.S. telecom giant deems “obscene”.

The restriction is quite unusual – according to best security practice, no one but users themselves should be able to see a password in plain text, so what it says should be irrelevant. Most security professionals are more concerned with keeping passwords secure, rather than managing what they say.

The restriction was spotted by Randy Janinda, a security engineer at Twitter, who found the page after AT&T rejected an auto-generated password. Some have speculated the restriction is in place in case users have to deal with customer care by phone. AT&T has not commented.

“Choosing good passwords and protecting them, along with the answers to the questions which reset them is vital,” says ESET researcher Aryeh Goretsky, in a blog post which outlines the best practice for secure passwords.

Author , We Live Security

  • Nestor Couvertier

    Just change the password and move on.

  • Aryeh Goretsky

    Reminiscent of “Risks of globally filtering mail to IT and security staff”

Follow us

Copyright © 2016 ESET, All Rights Reserved.