In what must be a first, a man in Shrewsbury, England was stopped by his online bank from using passwords that criticised the institution to access his account.
Angry with Lloyds TSB over travel insurance that was offered with the account, he changed his banking password to "Lloyds is pants" (an insult in the UK) only to discover that it had been changed to something else by the bank without discussion.
He then tried to change it to ‘Barclays is better' and ‘Lloyds is rubbish' only to have those options ruled out on the basis of their content. The bank also stopped him from using the word ‘censorship', four letters longer than the minimum six letters stipulated and 48-bits long if used without upper and lower case or letter substitution. Incredibly and quite wrongly, the bank said no to this too.
"Barclays is better" is actually 110 bits while "Lloyds is rubbish" comes in at 104, thanks partly to the inclusion of spaces.
The bank's obvious security no-no was to change the password at all - that should only be done by the customer. The bank would have a case in asking the man to change his password if it had been deemed insecure, but on that basis they might have to do the same for millions of others.
The bank has since apologised. ""It is very disappointing that he felt the need to express his upset with our service in this way. Customers can have any password they choose and it is not our policy to allow staff to change the password without the customer's permission."
Is this the same Lloyds TSB that once set out to pioneer security access to online accounts using two-factor authentication tokens? Of course, that doesn't stop some idiot in the ‘ultra-secure' call centre from getting a bit frisky with the customers after too much bad office coffee...