Most security professionals have enough to deal with thanks to insecure passwords – but AT&T seems to want its users to keep them clean, too. The “password restrictions” page for AT&T users says, “The password can’t contain the words “password”, “admin”, “pa$$w0rd” or other common words. The password can’t contain obscene language.”
Most security professionals find passwords to be enough of a pain – given the challenge of remembering multiple, hard-to-guess strings of characters – but now AT&T seems to want its users to keep them clean, too.
A “password restrictions” page for AT&T users has come to light which says, “The password can’t contain the words “password”, “admin”, “pa$$w0rd” or other common words. The password can’t contain obscene language.”
It’s not clear what language the U.S. telecom giant deems “obscene”.
The restriction is quite unusual – according to best security practice, no one but users themselves should be able to see a password in plain text, so what it says should be irrelevant. Most security professionals are more concerned with keeping passwords secure, rather than managing what they say.
The restriction was spotted by Randy Janinda, a security engineer at Twitter, who found the page after AT&T rejected an auto-generated password. Some have speculated the restriction is in place in case users have to deal with customer care by phone. AT&T has not commented.
“Choosing good passwords and protecting them, along with the answers to the questions which reset them is vital,” says ESET researcher Aryeh Goretsky, in a blog post which outlines the best practice for secure passwords.