#formletter

Do you still encounter sites that ask you to create an account but don’t give you any indication of what password length and character types they require? This happens a lot and it’s even worse for those of us who try to use long, cryptographically strong passwords. Many sites can’t handle long passwords or special characters. The following form letter will allow you to quickly send a message to the offending site’s webmaster and let them know what’s going on. 

There’s just two steps:

When you encounter a site like this simply navigate to the ‘Contact’ link in their menu and choose the best e-mail/form that they offer.

Replace all instances of “<INSERT X>” with the relevant information.

 Enjoy!

[Security posture form letter]

Hi,

Please forward this to the group that maintains the website.

The account creation system at <INSERT COMPANY NAME> website has a bug. Summary: I use a well known secure password generator/manager program (e.g. LastPass, 1Password) to create unique passwords for each and every site I use. This process broke down at the <INSERT COMPANY DOMAIN NAME> website. The issue outlined below needs attention in my opinion.  

Here's the detail:

1. Problem 01: Your site does not specify password length and character criteria on the sign-up form. What are the minimum and maximum characters counts? What special characters should the password have? What types of characters are required (e.g. 1 uppercase, 3 lowercase, numbers, special characters)? 2. Problem 02: Website can not accept passwords of 16 characters with mixed-case alphabetical characters. A secure password would have had mixed alpha-numerics & special characters. I only attempted to use letters. The website appeared to accept my password but then wouldn't let me log back in. I had to use your password recovery to get things working again. After that I was forced to use a shorter, even less secure, password. The following password was the one that caused the site to reject my subsequent login: <INSERT GENERATED PASSWORD>

Impact: This oversight gives me reason for concern as it makes me wonder it the company has a firm security posture. I will not be sending credit card information to this site until I can gain confidence and trust around this matter. Too many companies get their customer database ransacked every day. Your customers’ data should be stored only with great vigilance. 

I urge you to begin disclosing the password criteria required by your site. It will press your users to use the strongest passwords and make you a good steward of the information they’ve trusted to you. Please contact me if I can help with anything.

Thank you.

Dear <Boss>,

I write to formally request a leave of absence, beginning on <date> and lasting indefinitely. <Religious leader> the Beneficent has called upon all able-bodied followers of <religious tradition> to undertake a great and perilous quest to retake <religious object or territory>. At first, I was reluctant, but closer examination of the ritual surrounding my initiation into <religious tradition> has revealed that I did, in fact, agree to become a soldier of <Messiah’s name>. I had thought the devil was in the details, but it appears the opposite is true in this instance.

For fame, fortune, and <religious invocation>,