Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Check our new Geekzone Price Comparison web site for electronics prices in New Zealand.


ForumsIT ProWebsites and Passwords


987 posts

Ultimate Geek
Topic # 83137 11-May-2011 11:00 Send private message

Here is a little rant I am sure many here understand.

Why is it that websites restrict the password field as much as they do?

Latest experience has been with the TelstraClear Customer Zone portal. "The password must be between 7 and 8 characters and contain no spaces." The no spaces requirement I can understand. Most websites can't seem to manage passwords containing spaces which shouldn't actually be a problem but that is another rant.

But, 7 and 8 characters... Why, for the love of all that is sane, would that restriction be necessary? I am by no means a database expert, but I am sure that storing passwords that are a little longer than that would be feasible, wouldn't it?

I feel the same way about most banks, Kiwibank & WestPac are the exceptions that I know of. Surely encouraging security by allowing any characters and lengthy passwords should be normal practice.




Workstation: Intel DH67CL ~ i5-2500 ~ 4GB Corsair RAM (x2) ~ Intel X25-M 80GB SSD

Laptop: Dell Inspiron 1564 ~ i5-520M ~ 4.00GB RAM ~ 500GB SATA HDD ~ Win7 Home Premium x64

Common misconceptions.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2Next
1599 posts

Uber Geek
Inactive user
  Reply # 467861 11-May-2011 11:02 Send private message

I would say passwords greater than 7 characters would be fine, but 7-8, thats just ridiculous.

Phil Gale
1054 posts

Uber Geek

Trusted
Red Jungle
Subscriber
  Reply # 467863 11-May-2011 11:03 Send private message

Often its caused by interfacing with older legacy systems which don't handle passwords well. Sometimes its just plain obtuse security policies.

My pet peeve with this is with BNZ, they force us to use their netguard card system (which I hate) in the name of security. While at the same time having a max length on internet banking passwords of 8 characters.

I would have a more secure password if they would let me.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

1255 posts

Uber Geek

Subscriber
  Reply # 467864 11-May-2011 11:04 Send private message

Limiting the password to 7-8 characters is probably one of the worst security ideas ever, firstly if people don't tend to use a password that long/short then it means it will be written down on a sticky note next to the computer in plain view.

Secondly that makes a brute force or timing attack far quicker, reducing the time taken to crack a semi-hard password from years to hours or less.

Who knows what they were thinking.

2977 posts

Uber Geek

Subscriber
  Reply # 467868 11-May-2011 11:17 Send private message

The other problem is poor validation; when signing up for an account with one site I used a password containing an "&". It accepted this when creating the account but wouldn't let me log in with it. It turns out that it truncated the password to contain everything preceding the "&" and nothing after it. Side note: As I was able to get the password emailed to me, they must not be stored using non-reversible encryption!

1126 posts

Uber Geek

Trusted
  Reply # 467872 11-May-2011 11:27 Send private message

I can't believe that 8 characters is enforced on me for my ASB online banking.

It's just stupid.




Checkout the EPIC5 script I work on, LiCe. Makes console based IRC fun and easy to use, just like the old days!

1186 posts

Uber Geek

Trusted
  Reply # 467876 11-May-2011 11:35 Send private message

8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.

but making it 7 or 8 means the brute force attacks only have to check all the 7 to 8 character combinations.

greater than 6 with at numeric and none alphanumeric number is usually a pretty good minimum




www.reven.co.nz

1126 posts

Uber Geek

Trusted
  Reply # 467878 11-May-2011 11:39 Send private message

reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.

reven: but making it 7 or 8 means the brute force attacks only have to check all the 7 to 8 character combinations.   greater than 6 with at numeric and none alphanumeric number is usually a pretty good minimum


And this is the problem I have.  For a serious banking site, having the bare minimum and not allowing any more than that seems exceedingly stupid.  It wouldn't surprise me at all to find out ASB are actually storing passwords in the clear (or using some sort of two way encryption) and that's what the limitation is.

Tim




Checkout the EPIC5 script I work on, LiCe. Makes console based IRC fun and easy to use, just like the old days!

1186 posts

Uber Geek

Trusted
  Reply # 467881 11-May-2011 11:46 Send private message

muppet:
reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.


nah not hashing, encrypting.  eg RC4 




www.reven.co.nz

215 posts

Master Geek
  Reply # 467882 11-May-2011 11:46 Send private message

muppet: I can't believe that 8 characters is enforced on me for my ASB online banking.

It's just stupid.


What's even more stupid is that its not case sensitive.  That irks me the most!

124 posts

Master Geek
  Reply # 467896 11-May-2011 12:21 Send private message

I have to agree, maximum password length, at least maximums that aren't particularly large/sane (like, 8!) really aggravate me.

I can certainly make an exception for older legacy systems, but it seems even reasonably modern/sensitive websites still have this limitation. Sure, there may be a legacy system in behind that but with the risks posed online these days I dont feel all that comfortable about it at times.. to me, having a max password length indicates that they most likely are not hashing Frown

A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!

3bit.com
5411 posts

Uber Geek

Moderator
Trusted
Subscriber
  Reply # 467917 11-May-2011 13:17 Send private message

The ones that irk me are sites that ask for at least one uppercase, one lowercase, one punctuation mark, at least x length, plus it can't have been used before.

You end up with a god awful password you can't remember.  One guy here has his password as "Providerxsucks1!"





Custom software development | Mt Eden Cafe | Gardening Blog | Gardening.co.nz

1528 posts

Uber Geek

Subscriber
  Reply # 467933 11-May-2011 14:18 Send private message

CapBBeard:
A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!


+1
Use lastpass too.
Although they have just had a slight security scare.
http://blog.lastpass.com/
But to be honest, my master password is strong enough, so I'm not overly worried about it.
I still feel safer than using the same password for every online account.

2551 posts

Uber Geek

Moderator
Trusted
Subscriber
  Reply # 467936 11-May-2011 14:32 Send private message

nate: The ones that irk me are sites that ask for at least one uppercase, one lowercase, one punctuation mark, at least x length, plus it can't have been used before.

You end up with a god awful password you can't remember.  One guy here has his password as "Providerxsucks1!"


That is to stop qwerty or 123456 or password or any number of other dumb passwords that an amazing number of people otherwise use.







Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64

124 posts

Master Geek
  Reply # 467937 11-May-2011 14:37 Send private message

dontpanic42:
CapBBeard:
A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!


+1
Use lastpass too.
Although they have just had a slight security scare.
http://blog.lastpass.com/
But to be honest, my master password is strong enough, so I'm not overly worried about it.
I still feel safer than using the same password for every online account.


Yeah to be honest I feel quite safe, there's always going to be risks storing passwords but in this case I think they are rather low. As you say, compared to using the same or similar or similarly derived etc passwords across a number of sites, I'll take lastpass any day. Sounds as though they were being overly cautious more than anything, which I've no problem with.

2151 posts

Uber Geek
  Reply # 467949 11-May-2011 15:16 Send private message

reven:
muppet:
reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.


nah not hashing, encrypting.  eg RC4 


No, you're getting those confused. A MD5 hash takes an arbitary length and converts it to a  128 "unique" hash of the input. That is, the output is always 128bits.

RC4 is a symmetric crypto algorithm. It generates a psuedo random number stream (It's called a stream cipher for a reason) that you take and then xor each bit of your plaintext against.

Things like AES work similarly. If you have 8 bytes of plaintext, you get 8 bytes of ciphertext.
 

 1 | 2Next
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »
Amazon brings Kindle Fire to 170 countries, expand app store to more than 200 countries
Posted 24-May-2013 14:41

Gen-i and SAP partner in mobile business
Posted 23-May-2013 09:23

Ericsson to close down telecom cable manufacturing
Posted 23-May-2013 08:46

FaceToFace Communications and StarLeaf bring unique cloud-based videoconferencing to Australia and New Zealand
Posted 22-May-2013 09:12

IBM Watson finds a new job: customer services
Posted 22-May-2013 08:37

Microsoft unveils Xbox One
Posted 22-May-2013 08:11


Trending now »
Hot discussions in our forums right now:

Fecked up religious people strike again :-(
Created by Mark, last reply by nakedmolerat on 24-May-2013 20:36 (81 replies)
Pages... 4 5 6

Cannabis is illegal yet we have really strong 'legal highs' ?
Created by qwerty7, last reply by freitasm on 23-May-2013 23:20 (74 replies)
Pages... 3 4 5

Xbox One
Created by DjShadow, last reply by Kingy on 24-May-2013 13:48 (68 replies)
Pages... 3 4 5

A new project coming to Geekzone
Created by freitasm, last reply by DarthKermit on 24-May-2013 19:41 (341 replies)
Pages... 21 22 23

Troublesome transition to VDSL
Created by oseiler, last reply by michaelmurfy on 24-May-2013 13:57 (18 replies)
Pages... 2

HTC One (2013) owners' discussion
Created by Dingbatt, last reply by wlfkfgkwlaktka on 24-May-2013 15:49 (1564 replies)
Pages... 103 104 105

Warning - Users with Tenda ADSL modem
Created by Psi, last reply by plambrechtsen on 24-May-2013 21:31 (43 replies)
Pages... 2 3

Orcon, Is this for real or a scam??
Created by old3eyes, last reply by DarthKermit on 22-May-2013 19:12 (29 replies)
Pages... 2


Geekzone Jobs »
Most recent NZ jobs in technology:

Organisational Change Analyst
Posted 24-May-2013 19:28

Dedicated Java Developer/ Technical lead
Posted 24-May-2013 18:28

Account Manager - IT/Telco
Posted 24-May-2013 18:28

Commercial Java Developer
Posted 24-May-2013 18:28

Senior DB2 Database Administrator
Posted 24-May-2013 18:28

Technical BA
Posted 24-May-2013 18:28

OSS Systems Engineer
Posted 24-May-2013 18:28


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.