Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.



andrewNZ

2487 posts

Uber Geek
Inactive user


#128935 28-Aug-2013 20:46
Send private message

So I've once again come up against a password length upper limit for internet banking, and I'm wondering why. 

I really don't know anything about password handling, but I have read that if a password is handled and stored properly, length shouldn't be a factor as properly hashing and salting results in a fixed length string.

All banks I've dealt with seem to have a limit, some more ridiculous than others.

BNZ - 8 max
Kiwibank - 15 max
Westpac - 24  max

So the questions are:
Why is there a limit? surely a longer password is better...
Is the limit a potential security risk? not so much the length, but what it means about the way they're handling the password.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
Inphinity
2780 posts

Uber Geek


  #886169 28-Aug-2013 21:01
Send private message

A likely reason for a limit is the table structure of the database they're storing user info in. They've probably decided long ago to make the password column a specific length, and the effort and impact of c hanging it now not deemed worthwhile.

In theory, yes, the limit is a potential security risk, in that a shorter password is inherently easier to guess because there are less combinations. But in terms of how it's handled and stored from the banks side, it's not a significant factor provided the way it's stored is secure. Here's some hashing examples, usingMD5:

pluto = c6009f08fc5fc6385f1ea1f5840e179f
thunderstorm = 445a222489d55b5768ec2f17b1c3ea34

notice both results are 32 characters?

even
alphabetisetheworldbecauseitsfun = 4ec7cee2296fd241adcf0fc0c1b3db07


So, plaintext password length is not a significant factor in security of stored passwords in a database.

But, yes, if someone is trying to bruteforce your password, longer is better.




andrewNZ

2487 posts

Uber Geek
Inactive user


  #886174 28-Aug-2013 21:05
Send private message

That reinforces my concerns. As you demonstrate, a hashed password is a fixed length, so table field length shouldn't be a factor. Does that mean they're storing passwords in plain text? that would be VERY concerning.

Inphinity
2780 posts

Uber Geek


  #886185 28-Aug-2013 21:13
Send private message

andrewNZ: That reinforces my concerns. As you demonstrate, a hashed password is a fixed length, so table field length shouldn't be a factor. Does that mean they're storing passwords in plain text? that would be VERY concerning.


They're unlikely to be storing anything in plain text, it would be against most of the regulations and requirements. They may be using a different hash algorithm - I just picked MD5 because it's easy to calculate. Not all will result in a 32-character result. Having seen how some of the major banks handle their security - exceptionally well - I'd be surprised if they're not all on a similar level.



andrewNZ

2487 posts

Uber Geek
Inactive user


  #886191 28-Aug-2013 21:18
Send private message

So let's ignore the security part for a bit. Is there a valid technical reason for limiting the length of a password, like being harder to handle in the browser?


I mostly find this annoying because I try to have good passwords, and I try to keep a good system running. I ultimately have 3 tiers of password. When I change a banking password, the old one is bumped down, and it bumps another down to the bottom tier.

My system isn't perfect, but it's sure as hell better than having AbC123 for everything :)

We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.

Inphinity
2780 posts

Uber Geek


  #886199 28-Aug-2013 21:23
Send private message

Valid technical reasons will typically stem from decisions made in the past, such as a hashing algorithm that can only support strings up to x length. Perhaps they have some older software still in place that can only support passwords of x length. There's a variety of reasons for it, but there is no technical benefit to it now - but 15 years ago, perhaps, when needing an extra few GB or so of storage just for longer user passwords was less financially feasible, it may have been a decision.

sleemanj
1490 posts

Uber Geek


  #886200 28-Aug-2013 21:24
Send private message

I expect it's a largely arbitrary limit and may be related to:

1. customer service - limiting options so that the dullards don't make up a long complicated password and forget
2. historic UI on their own antiquated backend systems, sure it might be hashed in the database now, but the old terminal program still can't handle it
3. because the web developer just put a maxlength on the field out of habit

What annoys me more is minimum lengths and enforced use of various characters, especially for not-exactly-fort-knox websites, "you must choose a password more than 8 characters" "you must have at least 2 numbers" "you must have upper and lower case letters" "you must have a symbol"....





---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


andrewNZ

2487 posts

Uber Geek
Inactive user


  #886203 28-Aug-2013 21:33
Send private message

Righto then, now I know a little bit more, I guess I'll go moan about it to the banks I use :)

 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
alasta
6703 posts

Uber Geek

Trusted
Subscriber

  #886229 28-Aug-2013 22:00
Send private message

The last time I changed my BNZ password I was unable to use punctuation characters. That, coupled with the eight character limit, is a bit of a worry.

timmmay
20575 posts

Uber Geek

Trusted
Lifetime subscriber

  #886311 29-Aug-2013 07:38
Send private message

Everyone should be using "correct horse battery staple" as it's the most secure password...

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886321 29-Aug-2013 08:26
Send private message

You're right... wait no, no good, it's outside the limits of all the banks I listed :(

:P

GregV
928 posts

Ultimate Geek


  #886328 29-Aug-2013 08:55
Send private message

I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.

Kraven
729 posts

Ultimate Geek


  #886330 29-Aug-2013 08:58
Send private message

GregV: I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.


Are you sure? I just tried mine entirely in lowercase and it didn't work.

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886331 29-Aug-2013 08:59
Send private message

Holy crap... Could it just be that they have the form strip the case?

Do they have a length limit?

GregV
928 posts

Ultimate Geek


  #886335 29-Aug-2013 09:08
Send private message

Kraven:
GregV: I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.


Are you sure? I just tried mine entirely in lowercase and it didn't work.

Maybe it's a one-way thing, and stores everything in lower-case.  I can enter more than one INCORRECT upper-case character in my password, and it logs me in.

EDIT - found previous discussion http://www.geekzone.co.nz/forums.asp?forumid=48&topicid=119744

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886348 29-Aug-2013 09:46
Send private message

Man, I should have just accepted this... It just gets worse the more I know.

So Westpac doesn't seem to care about case either (tried it), although that doesn't worry me as much as the length thing.

 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.