I asked a friend to send me money for a ticket the other day via PayPal or in person. They sent it via Chase QuickPay an app that lets Chase customers send money to an email address or phone number. I was mildly annoyed but remembered that I tried to make him use PayPal which no one should be forced to use.

Of course retrieving my money from Chase became completely obnoxious since I first had to create an account. I’m not excited about creating another account with a financial institution that I will probably use once and then forget the credentials. Here are the account sign up requirements:

Your User ID:

– Must be between 8-32 characters in length
– Must contain at least one letter and one number
– Cannot be the same as your Password
– Cannot include special characters (&,%,*, etc.)

Your Password:

– Must contain 7-32 characters
– Must include at least one number and letter
– Cannot easily be guessed by others
– Cannot include special characters (&,%,*, etc.)
– Cannot be the same as your User ID

For your protection, you must create a new Security Code. We’ll ask you to provide it if you call Customer Service for assistance or to reset your Password on Chase.com. Your Security Code:

– Must contain 6-10 characters
– Must include at least one number and one letter
– Cannot include special characters (&,%,*, etc.)
– Cannot be the same as your User ID
– Cannot be the same as your password

Now the first troubling thing was that you must have at least one number in your username. Traditionally, usernames are public so applying a password style policy to them just makes them frustrating to the end user. Guess what digit I picked and where I put it.

Second, the shortest username is longer than the shortest possible password. The point of longer passwords is to increase the number of possible passwords an attacker has to guess. The point of longer usernames is…

Next up: no special characters anywhere. Special characters increase the overall character set in passwords and using them is generally a good idea since a smart attacker will go after simpler number and letter combinations first. Not including special characters is lazy and telling. It shows that you don’t trust your own programmers to write code capable of properly sanitizing input.

Finally, the “Security Code” has the smallest number of possibilities of any field. It can be the shortest at only 6 characters and has a maximum of 10 characters. This field is verified by Customer Service, so why not have the person write their own lengthy passphrase?

I guess the most secure aspect of this entire service is that there’s no chance I’ll remember these credentials the next time I try to use it. I’ll just reset it using my email address protected by 2-factor authentication.