No, it's not an April Fool's prank. AT&T really is forbidding passwords that contain obscene language. Or at least that's what the company's password reset page says.
AT&T's policy barring obscene passwords is surprising because it's completely unnecessary, even for a company that bends over backward not to offend even its most modest customers or employees. If workers are following standard industry practices, passcodes will never be shared with customer support representatives or engineers either verbally or in e-mails. Instead, plain-text strings such as "shittypolicy" will be cryptographically converted to strings such as "eaf6f87e9d009cd3c713e6533ce8b15ac9ed2009" that in theory can't be mathematically reversed. Sure, it's a good idea to block the use of expletives, but that has nothing to do with their potential to offend. The reason to bar them is that they're generally so short and widely used that they're easily cracked.
When AT&T's policy came to light over the weekend, Ars assumed it was an April Fool's-motivated hoax. An AT&T spokesman still hasn't delivered a requested statement, but the screenshot posted above suggests the reports are true.
Interestingly, the admonition seems to be poorly enforced. Ars was able to choose passwords that contained several naughty phrases including "Fuck_4_Duck" (minus the quotes) and "Fuck_Shit_Penis," the latter of which AT&T rated as an "excellent" password choice. The strings "shit," "fuck," and "fucker" were blocked but only on the grounds that they were weak, since they contained fewer than six characters or didn't contain a mixture of numbers, upper- and lower-case letters, and symbols. Even still the passcodes "fucker1" and "fuck3r" worked just fine. Go figure.
Update: About 40 minutes after this article was published, an AT&T representative sent Ars the following statement:
To protect our customers, AT&T maintains a list of words that cannot be used as passwords because they are too commonly used, and therefore too easily guessed by third parties. That list includes, among thousands of other words, several that are obscene. They are therefore excluded from use in passwords not because they are obscene, but because they are commonly used. That said, the password instructions indicating that we don't allow obscene words to be used in passwords are unclear, so we are working to clarify them. Obscene or not, we recommend customers avoid common words when creating passwords.
reader comments
94