The Nevada DMV’s unusual password requirements

I occasionally share personal experiences on this site when I feel they are of relevance to the class and deal with material we have covered or will cover in the future, but it has to be something of significant consequence for me to break that fourth wall.

As an example, I have trouble with websites all the time. They don’t load, they give me 404/page not found errors, they don’t load properly, but that happens and I don’t chronicle every experience here on the class page. No, it has to be something exceptional if I’m going to tell everyone about it, and this time it’s the DMV that gets to be the target. I had one of the most curious experiences on their website recently, and I think it warrants a post.

I wanted to renew my license online, seeing as going to the DMV is one of the most despised experiences one can have. To be fair, the last time I went to the DMV to take care of a pretty serious issue (expired registration), it was smooth sailing – I was in and out, including getting the car smogged, having it inspected, and getting my new registration all within about two hours. Not too terrible.

Now this is how a DMV should look (from mollybandme.com)

Now this is how a DMV should look (from mollybandme.com)

Even so, I was interested in trying out their not-terribly-new online functionality, but it turns out while going to the actual, physical DMV might be getting better, going online to the DMV is getting worse, at least in this case.

Before I get into it all, I must say their website is far, FAR improved from what it used to be, which was a cluttered mess of links reminiscent of the early days of Yahoo. Yet when it came to renewing my license there were two serious problems: The draconian password requirements, and the fact that the system didn’t tell me what I actually needed to do.

First, the recent celebrity hacking scandal has everyone fired up about password strength, and I’ve even heard a couple of TV commentators saying it reinforces how important it is to have complex, difficult passwords. That’s true to a point, and we’ll talk about that later in the session, but it’s certainly better than an easy-to-crack password.

But in order to have that, you have to let people create them in the first place. The Nevada DMV does exactly the opposite. In what can only be described as an absolutely bizarre set of password requirements, it imposes restrictions that for the life of me I can’t begin to understand. In all my years of being involved in this industry, it is, without a doubt, the weirdest set of limitations I’ve ever seen. Here’s a shot of the webpage, and I’ll walk through it afterwards:

Nevada DMV password restrictions

Nevada DMV password restrictions

First, for what possible reason would you limit the length someone can make their password? The DMV isn’t big enough to argue it would be a storage or maintenance issue, and everyone knows that a longer password is more secure than a shorter one. This is no secret, it’s common knowledge. There are other issues of course, some of which we’ll talk about in this post and others we’ll talk about in class, but a basic rule is longer is better.

Next, they require at least one letter, but notice at the bottom it says “Password is not case sensitive.” What? Having case sensitive passwords (meaning the capitalization of letters in the password matters. For example, a lower-case ‘z’ could not be used in place of an upper-case ‘Z’) makes the passwords more unique, more complex, more difficult to crack, and like the length requirement above is very well known. Why they would limit the length and make them not case-sensitive is beyond me. You can read here about a bank that did the same thing and the response from the author and most commenters is of understandable incredulity.

They require a number, which is fine and a sensible requirement, but right after that they indicate you can only use one of three special characters: @, #, or $. No asterisk, no parens, no ampersand, just those three. As was the case with the previous restrictions I ask the same question again: Why? Why would you limit the types of special characters that can be used when just like before it is common knowledge that they contribute to the complexity of a password?

The whole experience was so strange, and frankly trying to create a password that met these requirements was very difficult, which of course means I’d have to write it down making the whole thing less secure. Unbelievable. Whoever decided on this needs to be strategically reassigned.

Of course, after finally getting through it all, I was presented with this screen:

Good to know

Good to know

Yes, even though I have had the card telling me my license will expire next week sitting on the table for a month, apparently the system that put me through the hell of its password requirements didn’t recognize I actually needed to renew my license in person. Instead, it simply said I had no cards that needed renewal. You can see it says “Click Next to Continue,” and although it’s cut off in the image there was no ‘Next’ to click, only a “Cancel” button. All that for…that. Apparently I have to go in because I need to have my picture taken, which based on my current picture is fine with me.

This was a password creation and system failure of epic proportions, and it shows me that something is seriously wrong over there. The system should not impose such limits on password requirements, and it should be aware I have to go in to renew my license because of the picture and tell me as much.

Having gone through all of this, however, there is something for which I must give them significant credit, that being the option they provide of simply texting ‘dmvhenderson’ (for the American Pacific location) to 347.763.6211, and they text you back a menu of options from which you can choose. You text them your choice, and they automatically place you in line for that function, providing you updates on your wait, your place in line, and how many people are ahead of you without you having to actually be there. They also provide the option for you to text them back for updates or to cancel, and you can even text them that you need more time. Very, very nifty. A screenshot of the texts that I received is below.

Texts from the Henderson DMV, letting me wait in line without actually being there

Texts from the Henderson DMV, letting me wait in line without actually being there

Going Up