Internet banking password. Is limiting the password length a security risk?

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor. If investing please consider our affiliate links for new accounts: Sharesies or Hatch. To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification

Forums › Finance and wealth management › Internet banking password. Is limiting the password length a security risk?

andrewNZ

2487 posts

Uber Geek
Inactive user

#128935 28-Aug-2013 20:46

So I've once again come up against a password length upper limit for internet banking, and I'm wondering why.

I really don't know anything about password handling, but I have read that if a password is handled and stored properly, length shouldn't be a factor as properly hashing and salting results in a fixed length string.

All banks I've dealt with seem to have a limit, some more ridiculous than others.

BNZ - 8 max
Kiwibank - 15 max
Westpac - 24 max

So the questions are:
Why is there a limit? surely a longer password is better...
Is the limit a potential security risk? not so much the length, but what it means about the way they're handling the password.

1 | 2 | 3

Affiliate link

Affiliate link: You will find anything you want at MightyApe.

Inphinity

2700 posts

Uber Geek

Subscriber

#886169 28-Aug-2013 21:01

A likely reason for a limit is the table structure of the database they're storing user info in. They've probably decided long ago to make the password column a specific length, and the effort and impact of c hanging it now not deemed worthwhile.

In theory, yes, the limit is a potential security risk, in that a shorter password is inherently easier to guess because there are less combinations. But in terms of how it's handled and stored from the banks side, it's not a significant factor provided the way it's stored is secure. Here's some hashing examples, usingMD5:

pluto = c6009f08fc5fc6385f1ea1f5840e179f
thunderstorm = 445a222489d55b5768ec2f17b1c3ea34

notice both results are 32 characters?

even
alphabetisetheworldbecauseitsfun = 4ec7cee2296fd241adcf0fc0c1b3db07

So, plaintext password length is not a significant factor in security of stored passwords in a database.

But, yes, if someone is trying to bruteforce your password, longer is better.

andrewNZ

2487 posts

Uber Geek
Inactive user

#886174 28-Aug-2013 21:05

That reinforces my concerns. As you demonstrate, a hashed password is a fixed length, so table field length shouldn't be a factor. Does that mean they're storing passwords in plain text? that would be VERY concerning.

Inphinity

2700 posts

Uber Geek

Subscriber

#886185 28-Aug-2013 21:13

andrewNZ: That reinforces my concerns. As you demonstrate, a hashed password is a fixed length, so table field length shouldn't be a factor. Does that mean they're storing passwords in plain text? that would be VERY concerning.

They're unlikely to be storing anything in plain text, it would be against most of the regulations and requirements. They may be using a different hash algorithm - I just picked MD5 because it's easy to calculate. Not all will result in a 32-character result. Having seen how some of the major banks handle their security - exceptionally well - I'd be surprised if they're not all on a similar level.

andrewNZ

2487 posts

Uber Geek
Inactive user

#886191 28-Aug-2013 21:18

So let's ignore the security part for a bit. Is there a valid technical reason for limiting the length of a password, like being harder to handle in the browser?

I mostly find this annoying because I try to have good passwords, and I try to keep a good system running. I ultimately have 3 tiers of password. When I change a banking password, the old one is bumped down, and it bumps another down to the bottom tier.

My system isn't perfect, but it's sure as hell better than having AbC123 for everything :)

We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.

Inphinity

2700 posts

Uber Geek

Subscriber

#886199 28-Aug-2013 21:23

Valid technical reasons will typically stem from decisions made in the past, such as a hashing algorithm that can only support strings up to x length. Perhaps they have some older software still in place that can only support passwords of x length. There's a variety of reasons for it, but there is no technical benefit to it now - but 15 years ago, perhaps, when needing an extra few GB or so of storage just for longer user passwords was less financially feasible, it may have been a decision.

sleemanj

1440 posts

Uber Geek

#886200 28-Aug-2013 21:24

I expect it's a largely arbitrary limit and may be related to:

1. customer service - limiting options so that the dullards don't make up a long complicated password and forget
2. historic UI on their own antiquated backend systems, sure it might be hashed in the database now, but the old terminal program still can't handle it
3. because the web developer just put a maxlength on the field out of habit

What annoys me more is minimum lengths and enforced use of various characters, especially for not-exactly-fort-knox websites, "you must choose a password more than 8 characters" "you must have at least 2 numbers" "you must have upper and lower case letters" "you must have a symbol"....

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

andrewNZ

2487 posts

Uber Geek
Inactive user

#886203 28-Aug-2013 21:33

Righto then, now I know a little bit more, I guess I'll go moan about it to the banks I use :)

alasta

5664 posts

Uber Geek

Trusted

Subscriber

#886229 28-Aug-2013 22:00

The last time I changed my BNZ password I was unable to use punctuation characters. That, coupled with the eight character limit, is a bit of a worry.

timmmay

18478 posts

Uber Geek

Trusted

Subscriber

#886311 29-Aug-2013 07:38

Everyone should be using "correct horse battery staple" as it's the most secure password...

andrewNZ

2487 posts

Uber Geek
Inactive user

#886321 29-Aug-2013 08:26

You're right... wait no, no good, it's outside the limits of all the banks I listed :(

:P

GregV

908 posts

Ultimate Geek

#886328 29-Aug-2013 08:55

I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.

Kraven

675 posts

Ultimate Geek

#886330 29-Aug-2013 08:58

GregV: I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.

Are you sure? I just tried mine entirely in lowercase and it didn't work.

andrewNZ

2487 posts

Uber Geek
Inactive user

#886331 29-Aug-2013 08:59

Holy crap... Could it just be that they have the form strip the case?

Do they have a length limit?

GregV

908 posts

Ultimate Geek

#886335 29-Aug-2013 09:08

Kraven:
GregV: I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.

Are you sure? I just tried mine entirely in lowercase and it didn't work.

Maybe it's a one-way thing, and stores everything in lower-case. I can enter more than one INCORRECT upper-case character in my password, and it logs me in.

EDIT - found previous discussion http://www.geekzone.co.nz/forums.asp?forumid=48&topicid=119744

andrewNZ

2487 posts

Uber Geek
Inactive user

#886348 29-Aug-2013 09:46

Man, I should have just accepted this... It just gets worse the more I know.

So Westpac doesn't seem to care about case either (tried it), although that doesn't worry me as much as the length thing.

1 | 2 | 3