I recently signed up with IRD’s (New Zealand’s Tax Department) online Kiwisaver service, so I could view the status of my payments and balance of New Zealand’s voluntary superannuation scheme.
The user sign up form is pretty depressing (and no, not just because it’s about signing up to tax rather than cool stuff):
My first concern is passwords being limited to a maximum of 10 characters, it’s way too short for many good passwords (or even better, passphrases), any system should take at least 255 chars without complain.
Secondly, the “forgotten password phrase” is the most stupid thing I’ve ever seen, it’s basically a second password field – if you forget your password, you can contact them and give them this second password…. except that if you’re stupid enough to forget the first password, how the hell are you going to remember a secondary normally never-used password?
I’d also love to know how secure the secondary password phrase requirements are, because since it gives you access into the account, the security is no stronger than whatever you put in here – and how likely are users to choose something good and secure as their “backup phrase”?
This is some pretty simple security concepts and I’m a bit dismayed that IRD managed to get these so wrong – at least it shouldn’t be hard to correct….