I recently discovered that the password for my alarm.com account was not case sensitive when I typed it in with the CAPS LOCK on accidentally. I was disappointed to see a major security company using sub-standard password complexity especially when your login can be used to disarm your alarm and even unlock doors if setup. I sent a note directly to alarm.com, but I figured I’d see if you guys at SuretyCAM had any pull to make a suggestion as a partner of theirs.
I’d love it if I could use a password over 15 characters, and have it require at least three out of the four of the following: uppercase, lowercase, numbers, and special characters.
Well I’ll be a monkey’s uncle! (I’ve never actually said that before and I’ve been looking for an excuse)
I did not realize that myself, I just assumed that they were case sensitive and I’ve never intentionally typed mine with the wrong case. I agree, they should be case sensitive. I come from a Unix/Linux background where even file names are case sensitive, let alone passwords!
I’ll ask around about it and try to find out the reason why. Of course, whatever reason given will be wrong. The best I can do is try to get an explanation and try to make a “case” to change it.
I don’t know of limitations other than total length with regard to using special characters. I use special characters for most passwords, and would definitely recommend variation beyond base requirements. Unfortunately I think it is an issue of requirements being lowered to avoid more forgotten passwords.
That said, case sensitivity should definitely be implemented.
Intrigued by this topic, I’ve been doing some reading on the value of case insensitivity in passwords and I may have been swayed that it actually does make more sense to use case insensitive passwords, even for Alarm.com. It appears that you achieve the same password strength increase by adding 1 or 2 characters of length as you do by using a case sensitive character set.
In my brief research the consensus seems to be that case sensitivity isn’t that big a deal. Alarm.com would be better served by allowing a few more characters in a case insensitive character set than they would by using a case sensitive character set and it seems reasonable that it helps prevent a lot of frustration for customers who don’t remember which case they used when they created their password.
I agree that case sensitive is more secure than case insensitive but I’m not so sure they made the wrong decision. Maybe they should increase the minimum password length to 12 and the maximum to 32?
Thanks Ryan! I’ll let you know if they reply to my email as well.
Jason, I agree. I use special characters everywhere allowed. Alarm.com does allow them to be used.
I have been reading about some sites that have password limits and they basically store the password in a database in clear text and the length is set with a simple varchar(12) setting. I’d hope that alarm.com is storing the passwords encrypted with a salted hash.
