Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor. If investing please consider our affiliate links for new accounts: Sharesies or Hatch. To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification



andrewNZ

2487 posts

Uber Geek
Inactive user


#128935 28-Aug-2013 20:46
Send private message

So I've once again come up against a password length upper limit for internet banking, and I'm wondering why. 

I really don't know anything about password handling, but I have read that if a password is handled and stored properly, length shouldn't be a factor as properly hashing and salting results in a fixed length string.

All banks I've dealt with seem to have a limit, some more ridiculous than others.

BNZ - 8 max
Kiwibank - 15 max
Westpac - 24  max

So the questions are:
Why is there a limit? surely a longer password is better...
Is the limit a potential security risk? not so much the length, but what it means about the way they're handling the password.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
Affiliate link
 
 
 

Affiliate link: You will find anything you want at MightyApe.
Inphinity
2700 posts

Uber Geek

Subscriber

  #886169 28-Aug-2013 21:01
Send private message

A likely reason for a limit is the table structure of the database they're storing user info in. They've probably decided long ago to make the password column a specific length, and the effort and impact of c hanging it now not deemed worthwhile.

In theory, yes, the limit is a potential security risk, in that a shorter password is inherently easier to guess because there are less combinations. But in terms of how it's handled and stored from the banks side, it's not a significant factor provided the way it's stored is secure. Here's some hashing examples, usingMD5:

pluto = c6009f08fc5fc6385f1ea1f5840e179f
thunderstorm = 445a222489d55b5768ec2f17b1c3ea34

notice both results are 32 characters?

even
alphabetisetheworldbecauseitsfun = 4ec7cee2296fd241adcf0fc0c1b3db07


So, plaintext password length is not a significant factor in security of stored passwords in a database.

But, yes, if someone is trying to bruteforce your password, longer is better.


andrewNZ

2487 posts

Uber Geek
Inactive user


  #886174 28-Aug-2013 21:05
Send private message

That reinforces my concerns. As you demonstrate, a hashed password is a fixed length, so table field length shouldn't be a factor. Does that mean they're storing passwords in plain text? that would be VERY concerning.

Inphinity
2700 posts

Uber Geek

Subscriber

  #886185 28-Aug-2013 21:13
Send private message

andrewNZ: That reinforces my concerns. As you demonstrate, a hashed password is a fixed length, so table field length shouldn't be a factor. Does that mean they're storing passwords in plain text? that would be VERY concerning.


They're unlikely to be storing anything in plain text, it would be against most of the regulations and requirements. They may be using a different hash algorithm - I just picked MD5 because it's easy to calculate. Not all will result in a 32-character result. Having seen how some of the major banks handle their security - exceptionally well - I'd be surprised if they're not all on a similar level.



andrewNZ

2487 posts

Uber Geek
Inactive user


  #886191 28-Aug-2013 21:18
Send private message

So let's ignore the security part for a bit. Is there a valid technical reason for limiting the length of a password, like being harder to handle in the browser?


I mostly find this annoying because I try to have good passwords, and I try to keep a good system running. I ultimately have 3 tiers of password. When I change a banking password, the old one is bumped down, and it bumps another down to the bottom tier.

My system isn't perfect, but it's sure as hell better than having AbC123 for everything :)

We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.

Inphinity
2700 posts

Uber Geek

Subscriber

  #886199 28-Aug-2013 21:23
Send private message

Valid technical reasons will typically stem from decisions made in the past, such as a hashing algorithm that can only support strings up to x length. Perhaps they have some older software still in place that can only support passwords of x length. There's a variety of reasons for it, but there is no technical benefit to it now - but 15 years ago, perhaps, when needing an extra few GB or so of storage just for longer user passwords was less financially feasible, it may have been a decision.

sleemanj
1440 posts

Uber Geek


  #886200 28-Aug-2013 21:24
Send private message

I expect it's a largely arbitrary limit and may be related to:

1. customer service - limiting options so that the dullards don't make up a long complicated password and forget
2. historic UI on their own antiquated backend systems, sure it might be hashed in the database now, but the old terminal program still can't handle it
3. because the web developer just put a maxlength on the field out of habit

What annoys me more is minimum lengths and enforced use of various characters, especially for not-exactly-fort-knox websites, "you must choose a password more than 8 characters" "you must have at least 2 numbers" "you must have upper and lower case letters" "you must have a symbol"....





---
James Sleeman
I sell lots of stuff for electronic enthusiasts...


andrewNZ

2487 posts

Uber Geek
Inactive user


  #886203 28-Aug-2013 21:33
Send private message

Righto then, now I know a little bit more, I guess I'll go moan about it to the banks I use :)



alasta
5664 posts

Uber Geek

Trusted
Subscriber

  #886229 28-Aug-2013 22:00
Send private message

The last time I changed my BNZ password I was unable to use punctuation characters. That, coupled with the eight character limit, is a bit of a worry.

timmmay
18478 posts

Uber Geek

Trusted
Subscriber

  #886311 29-Aug-2013 07:38
Send private message

Everyone should be using "correct horse battery staple" as it's the most secure password...

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886321 29-Aug-2013 08:26
Send private message

You're right... wait no, no good, it's outside the limits of all the banks I listed :(

:P

GregV
908 posts

Ultimate Geek


  #886328 29-Aug-2013 08:55
Send private message

I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.

Kraven
675 posts

Ultimate Geek


  #886330 29-Aug-2013 08:58
Send private message

GregV: I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.


Are you sure? I just tried mine entirely in lowercase and it didn't work.

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886331 29-Aug-2013 08:59
Send private message

Holy crap... Could it just be that they have the form strip the case?

Do they have a length limit?

GregV
908 posts

Ultimate Geek


  #886335 29-Aug-2013 09:08
Send private message

Kraven:
GregV: I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.


Are you sure? I just tried mine entirely in lowercase and it didn't work.

Maybe it's a one-way thing, and stores everything in lower-case.  I can enter more than one INCORRECT upper-case character in my password, and it logs me in.

EDIT - found previous discussion http://www.geekzone.co.nz/forums.asp?forumid=48&topicid=119744

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886348 29-Aug-2013 09:46
Send private message

Man, I should have just accepted this... It just gets worse the more I know.

So Westpac doesn't seem to care about case either (tried it), although that doesn't worry me as much as the length thing.

 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

New Zealand Video Game Sales Reaches $540 Million
Posted 26-Jun-2022 14:49


Github Copilot Generally Available to All Developers
Posted 26-Jun-2022 14:37


Logitech G Introduces the New Astro A10 Headset
Posted 26-Jun-2022 14:20


Fitbit introduces Sleep Profiles
Posted 26-Jun-2022 14:11


Synology Introduces FlashStation FS3410
Posted 26-Jun-2022 14:04


Intel Arc A380 Graphics First Available in China
Posted 15-Jun-2022 17:08


JBL Introduces PartyBox Encore Essential Speaker
Posted 15-Jun-2022 17:05


New TVNZ+ streaming brand launches
Posted 13-Jun-2022 08:35


Chromecast With Google TV Review
Posted 10-Jun-2022 17:10


Xbox Gaming on Your Samsung Smart TV No Console Required
Posted 10-Jun-2022 00:01


Xbox Cloud Gaming Now Available in New Zealand
Posted 10-Jun-2022 00:01


HP Envy Inspire 7900e Review
Posted 9-Jun-2022 20:31


Philips Hue Starter Kit Review
Posted 4-Jun-2022 11:10


Sony Expands Its Wireless Speaker X-series Range
Posted 4-Jun-2022 10:25


Microsoft Updates Surface Laptop Go With 11th Gen Intel CPUs
Posted 2-Jun-2022 07:12









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.