NSA’s own website won’t accept passwords longer than 12 characters

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Want a job at the NSA?

Be aware that they don’t like it if your password is longer than 12 characters:

NSA password limit

Okay, so this is just the careers portal part of the NSA’s website. It doesn’t mean that everything at the NSA is protected by a password of 12 or less characters. But it’s not exactly the finest example to set for others, is it?

Sign up to our free newsletter.
Security news, advice, and tips.

I checked it out for myself, and had to raise an eyebrow at the following pop-up message that the NSA’s website displayed:

NSA secured

It’s good to see that the NSA are using HTTPS/SSL to protect our private information in transit. Oh, wait… hang on a minute…

As Martijn Grooten points out, this “may be a rare case in which there’s really no one but you and the site who sees your traffic.”

A cynic might suggest, of course, that all the NSA are doing is encouraging people to use shorter, weaker passwords for perfectly understandable reasons.

Hat-tip: @tdhopper


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “NSA’s own website won’t accept passwords longer than 12 characters”

  1. Surely the example they *want* to be setting to others is "Please make your passwords as hackable as possible"? So this is ideal.

  2. Paul

    Ahhh… memories…

    http://www.theregister.co.uk/2013/03/27/gchq_plain_text_password_reminder/

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.