Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.




1332 posts

Uber Geek
+1 received by user: 152
Inactive user


Topic # 83137 11-May-2011 11:00 Send private message

Here is a little rant I am sure many here understand.

Why is it that websites restrict the password field as much as they do?

Latest experience has been with the TelstraClear Customer Zone portal. "The password must be between 7 and 8 characters and contain no spaces." The no spaces requirement I can understand. Most websites can't seem to manage passwords containing spaces which shouldn't actually be a problem but that is another rant.

But, 7 and 8 characters... Why, for the love of all that is sane, would that restriction be necessary? I am by no means a database expert, but I am sure that storing passwords that are a little longer than that would be feasible, wouldn't it?

I feel the same way about most banks, Kiwibank & WestPac are the exceptions that I know of. Surely encouraging security by allowing any characters and lengthy passwords should be normal practice.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
1599 posts

Uber Geek
Inactive user


  Reply # 467861 11-May-2011 11:02 Send private message

I would say passwords greater than 7 characters would be fine, but 7-8, thats just ridiculous.

Phil Gale
1097 posts

Uber Geek
+1 received by user: 39

Trusted
Red Jungle
Subscriber

  Reply # 467863 11-May-2011 11:03 Send private message

Often its caused by interfacing with older legacy systems which don't handle passwords well. Sometimes its just plain obtuse security policies.

My pet peeve with this is with BNZ, they force us to use their netguard card system (which I hate) in the name of security. While at the same time having a max length on internet banking passwords of 8 characters.

I would have a more secure password if they would let me.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

1296 posts

Uber Geek
+1 received by user: 12


  Reply # 467864 11-May-2011 11:04 Send private message

Limiting the password to 7-8 characters is probably one of the worst security ideas ever, firstly if people don't tend to use a password that long/short then it means it will be written down on a sticky note next to the computer in plain view.

Secondly that makes a brute force or timing attack far quicker, reducing the time taken to crack a semi-hard password from years to hours or less.

Who knows what they were thinking.

3990 posts

Uber Geek
+1 received by user: 187

Trusted
Subscriber

  Reply # 467868 11-May-2011 11:17 Send private message

The other problem is poor validation; when signing up for an account with one site I used a password containing an "&". It accepted this when creating the account but wouldn't let me log in with it. It turns out that it truncated the password to contain everything preceding the "&" and nothing after it. Side note: As I was able to get the password emailed to me, they must not be stored using non-reversible encryption!

1350 posts

Uber Geek
+1 received by user: 189

Trusted

  Reply # 467872 11-May-2011 11:27 Send private message

I can't believe that 8 characters is enforced on me for my ASB online banking.

It's just stupid.




Checkout the EPIC5 script I work on, LiCe. Makes console based IRC fun and easy to use, just like the old days!
Android user? Checkout MightyText - text messaging from your browser.

1762 posts

Uber Geek
+1 received by user: 131

Trusted

  Reply # 467876 11-May-2011 11:35 Send private message

8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.

but making it 7 or 8 means the brute force attacks only have to check all the 7 to 8 character combinations.

greater than 6 with at numeric and none alphanumeric number is usually a pretty good minimum

1350 posts

Uber Geek
+1 received by user: 189

Trusted

  Reply # 467878 11-May-2011 11:39 Send private message

reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.

reven: but making it 7 or 8 means the brute force attacks only have to check all the 7 to 8 character combinations.   greater than 6 with at numeric and none alphanumeric number is usually a pretty good minimum


And this is the problem I have.  For a serious banking site, having the bare minimum and not allowing any more than that seems exceedingly stupid.  It wouldn't surprise me at all to find out ASB are actually storing passwords in the clear (or using some sort of two way encryption) and that's what the limitation is.

Tim




Checkout the EPIC5 script I work on, LiCe. Makes console based IRC fun and easy to use, just like the old days!
Android user? Checkout MightyText - text messaging from your browser.

1762 posts

Uber Geek
+1 received by user: 131

Trusted

  Reply # 467881 11-May-2011 11:46 Send private message

muppet:
reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.


nah not hashing, encrypting.  eg RC4 

272 posts

Ultimate Geek
+1 received by user: 6


  Reply # 467882 11-May-2011 11:46 Send private message

muppet: I can't believe that 8 characters is enforced on me for my ASB online banking.

It's just stupid.


What's even more stupid is that its not case sensitive.  That irks me the most!

158 posts

Master Geek
+1 received by user: 9


  Reply # 467896 11-May-2011 12:21 Send private message

I have to agree, maximum password length, at least maximums that aren't particularly large/sane (like, 8!) really aggravate me.

I can certainly make an exception for older legacy systems, but it seems even reasonably modern/sensitive websites still have this limitation. Sure, there may be a legacy system in behind that but with the risks posed online these days I dont feel all that comfortable about it at times.. to me, having a max password length indicates that they most likely are not hashing Frown

A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!

3bit.com
5897 posts

Uber Geek
+1 received by user: 202

Moderator
Trusted
Subscriber

  Reply # 467917 11-May-2011 13:17 Send private message

The ones that irk me are sites that ask for at least one uppercase, one lowercase, one punctuation mark, at least x length, plus it can't have been used before.

You end up with a god awful password you can't remember.  One guy here has his password as "Providerxsucks1!"




1571 posts

Uber Geek
+1 received by user: 11

Subscriber

  Reply # 467933 11-May-2011 14:18 Send private message

CapBBeard:
A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!


+1
Use lastpass too.
Although they have just had a slight security scare.
http://blog.lastpass.com/
But to be honest, my master password is strong enough, so I'm not overly worried about it.
I still feel safer than using the same password for every online account.

2578 posts

Uber Geek
+1 received by user: 3

Mod Emeritus
Trusted
Subscriber

  Reply # 467936 11-May-2011 14:32 Send private message

nate: The ones that irk me are sites that ask for at least one uppercase, one lowercase, one punctuation mark, at least x length, plus it can't have been used before.

You end up with a god awful password you can't remember.  One guy here has his password as "Providerxsucks1!"


That is to stop qwerty or 123456 or password or any number of other dumb passwords that an amazing number of people otherwise use.







Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64

158 posts

Master Geek
+1 received by user: 9


  Reply # 467937 11-May-2011 14:37 Send private message

dontpanic42:
CapBBeard:
A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!


+1
Use lastpass too.
Although they have just had a slight security scare.
http://blog.lastpass.com/
But to be honest, my master password is strong enough, so I'm not overly worried about it.
I still feel safer than using the same password for every online account.


Yeah to be honest I feel quite safe, there's always going to be risks storing passwords but in this case I think they are rather low. As you say, compared to using the same or similar or similarly derived etc passwords across a number of sites, I'll take lastpass any day. Sounds as though they were being overly cautious more than anything, which I've no problem with.

2329 posts

Uber Geek
+1 received by user: 79


  Reply # 467949 11-May-2011 15:16 Send private message

reven:
muppet:
reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.


nah not hashing, encrypting.  eg RC4 


No, you're getting those confused. A MD5 hash takes an arbitary length and converts it to a  128 "unique" hash of the input. That is, the output is always 128bits.

RC4 is a symmetric crypto algorithm. It generates a psuedo random number stream (It's called a stream cipher for a reason) that you take and then xor each bit of your plaintext against.

Things like AES work similarly. If you have 8 bytes of plaintext, you get 8 bytes of ciphertext.
 

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Netflix officialy launching in NZ in March
Created by jarj, last reply by tdgeek on 21-Nov-2014 19:08 (97 replies)
Pages... 5 6 7


Which one is right for me? M8, Z3, S5 or other?
Created by makiomoto, last reply by makiomoto on 20-Nov-2014 13:52 (40 replies)
Pages... 2 3


What to do on the internet?
Created by TimA, last reply by hio77 on 20-Nov-2014 13:15 (34 replies)
Pages... 2 3


Gull Employment Dispute.
Created by networkn, last reply by networkn on 22-Nov-2014 00:02 (33 replies)
Pages... 2 3


Lollipop Problems
Created by ronw, last reply by ronw on 21-Nov-2014 21:26 (16 replies)
Pages... 2


Apple wall charges (USB slotted) keep disconnecting i-devices non-stop
Created by Mar1, last reply by Aredwood on 21-Nov-2014 14:59 (14 replies)

Slingshot line speed
Created by Frankiej45, last reply by Frankiej45 on 20-Nov-2014 14:38 (14 replies)

Chief Censor - He's at it again!
Created by scuwp, last reply by Nebbie on 19-Nov-2014 16:23 (42 replies)
Pages... 2 3



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.