That’s the Same Combination I Have on My Luggage!

Quick, which service do you think has the most strict password requirements I’ve ever encountered? My bank? Mutual funds? My law firm network login? Credit cards? Paypal? Email providers? Configuring my home server for remote access? Electronics sites like newegg.com and amazon.com? Westlaw and Lexis?

No. Not any of those. There is a service that, judging by its password requirements, contains either information far more sensitive or capabilities far more powerful than any of these. It’s…

the Electronic Copyright Office, or eCO. eCO allows you to, get this, register copyright claims. So naturally, a power that awesome must be adequately protected from dopplegangers posing as registered users, through the use of rigorous password restrictions:

Each person using the Electronic Copyright Office System, eCO, must comply with the following:

  • Minimum password length must be 8 characters and consist of at least 2 alpha characters, 1 number and 1 special character (but not an ampersand – &).
  • A password must have no consecutive repeated characters.
  • A password must not include your user name or any part thereof.
  • A password must not include the names of a spouse, children, pets or one’s own name.
  • A password must not include any regional sports teams or players.
  • A password must not include any office symbols.
  • A password must not include your social security number or any subset of your social security number that is more than a single number.
  • A password must not include words that can be found in any dictionary, whether English or any language.
  • A password must not be any of the 11 most recently used passwords for the account.
  • Every user with an account on a Library of Congress system including eCO is responsible for safeguarding access to that account.
  • A password must not ever be shared with anyone.
  • An account owner can change his or her password at any time, but at a maximum of once per day.
  • An account owner must change his or her password when prompted by the system.

I’ve highlighted a few of the requirements that make registering with eCO particularly challenging. Think of the passwords you use the most often. How many of them meet all of these requirements? Are you sure there are no repeated characters? If you guess wrong, you must wait for the system to think about it, and then fill out the entire registration form again. And again. And again. I think it took me at least five minutes to register an account.

Oh yeah, and once you’ve got one good password, you only need eleven more to make it through the forced rotation.

(And yes, in case you’re wondering, the reason why I’ve recently stumbled upon this is that I’ve registered my most recent articles. Practice what you preach, and all that.)

Cross-posted at Madisonian.net.

This Post Has 2 Comments

  1. Mathew D Pauley

    Best. Blog. Post. Title. Ever.

    Sorry it took so long to register. At least all the air on Planet Druidia is safe.

  2. Tom Kamenick

    I think it was Microsoft that recently actually tested the efficacy of password requirements and found that beyond a (fairly low) point, the requirements (especially frequently having to change them) decreased security because nobody could remember them so they stuck them on a post-it note or saved them in a file (or worse, email) somewhere.

Leave a Reply to Mathew D Pauley Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.