You would be wrong, at least in the case of Fidelity.com.
My ex-employer set up Fidelity accounts for employees to handle things like stock options, employee stock purchase plans (ESPP), 401(k) plans, etc. It's a nice benefit. But I ran into something there that is a great example of a really bad password implementation.
When you create a password at Fidelity.com, the site will tell you that it must meet these criteria:
- Use 6 to 12 letters and/or numbers
- Do not use one entire piece of personally identifiable information such as your Social Security number, telephone number, or date of birth. Instead, alter or disguise it (e.g., Jane212Smith)
- Do not use more than 5 instances of a single number or letter, or easily recognized sequences (e.g., 12345 or 11111)
- Do not use symbols, punctuation marks, or spaces (e.g., #,@, /, *, -.)
These rules make it sound as though there are 62 possible characters (a-z, A-Z, and 0-9) for each password character position. With a 6 to 12 character password allowable, there would be 62^6 + 62^7 + ... 62^12 possible passwords, which works out to about 3.3 x 10^21 (or smaller if the third rule is enforced). That's a big number, but it could be much larger, if only Fidelity.com would eliminate the last rule.
However, I discovered today that the situation is actually far worse than it looks. Fidelity.com asks for your password if you call them – they have you enter it via the touch-tone keypad on your phone. That means, for example, that if your password's first character is "5", "j", "J", "k", "K", "l", or "L", you press the "5" key. That means that Fidelity.com's passwords are really composed of nothing but the digits 0-9.
I have verified this. My actual Fidelity.com password is comprised of both letters and numbers. I converted all the letters to the touch-tone keypad equivalent digit, and entered my password as all numbers – and it worked just fine.
That means that the number of possible passwords is much smaller than even Fidelity.com's inadequate password criteria would suggest: 10^6 + 10^7 + .. + 10^12, which works out to about 1.1 x 10^11. For the math-challenged amongst my readers, that's over 10 billion times weaker.
Epic fail, Fidelity.com. Epic fail. Shame should be upon your countenance...