Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




2020 posts

Uber Geek
+1 received by user: 1131


Topic # 128935 28-Aug-2013 20:46
Send private message

So I've once again come up against a password length upper limit for internet banking, and I'm wondering why. 

I really don't know anything about password handling, but I have read that if a password is handled and stored properly, length shouldn't be a factor as properly hashing and salting results in a fixed length string.

All banks I've dealt with seem to have a limit, some more ridiculous than others.

BNZ - 8 max
Kiwibank - 15 max
Westpac - 24  max

So the questions are:
Why is there a limit? surely a longer password is better...
Is the limit a potential security risk? not so much the length, but what it means about the way they're handling the password.




Location: Dunedin

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 886169 28-Aug-2013 21:01
Send private message

A likely reason for a limit is the table structure of the database they're storing user info in. They've probably decided long ago to make the password column a specific length, and the effort and impact of c hanging it now not deemed worthwhile.

In theory, yes, the limit is a potential security risk, in that a shorter password is inherently easier to guess because there are less combinations. But in terms of how it's handled and stored from the banks side, it's not a significant factor provided the way it's stored is secure. Here's some hashing examples, usingMD5:

pluto = c6009f08fc5fc6385f1ea1f5840e179f
thunderstorm = 445a222489d55b5768ec2f17b1c3ea34

notice both results are 32 characters?

even
alphabetisetheworldbecauseitsfun = 4ec7cee2296fd241adcf0fc0c1b3db07


So, plaintext password length is not a significant factor in security of stored passwords in a database.

But, yes, if someone is trying to bruteforce your password, longer is better.





Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark



2020 posts

Uber Geek
+1 received by user: 1131


  Reply # 886174 28-Aug-2013 21:05
One person supports this post
Send private message

That reinforces my concerns. As you demonstrate, a hashed password is a fixed length, so table field length shouldn't be a factor. Does that mean they're storing passwords in plain text? that would be VERY concerning.




Location: Dunedin

 
 
 
 


2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 886185 28-Aug-2013 21:13
Send private message

andrewNZ: That reinforces my concerns. As you demonstrate, a hashed password is a fixed length, so table field length shouldn't be a factor. Does that mean they're storing passwords in plain text? that would be VERY concerning.


They're unlikely to be storing anything in plain text, it would be against most of the regulations and requirements. They may be using a different hash algorithm - I just picked MD5 because it's easy to calculate. Not all will result in a 32-character result. Having seen how some of the major banks handle their security - exceptionally well - I'd be surprised if they're not all on a similar level.




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark



2020 posts

Uber Geek
+1 received by user: 1131


  Reply # 886191 28-Aug-2013 21:18
One person supports this post
Send private message

So let's ignore the security part for a bit. Is there a valid technical reason for limiting the length of a password, like being harder to handle in the browser?


I mostly find this annoying because I try to have good passwords, and I try to keep a good system running. I ultimately have 3 tiers of password. When I change a banking password, the old one is bumped down, and it bumps another down to the bottom tier.

My system isn't perfect, but it's sure as hell better than having AbC123 for everything :)

We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.




Location: Dunedin

2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 886199 28-Aug-2013 21:23
Send private message

Valid technical reasons will typically stem from decisions made in the past, such as a hashing algorithm that can only support strings up to x length. Perhaps they have some older software still in place that can only support passwords of x length. There's a variety of reasons for it, but there is no technical benefit to it now - but 15 years ago, perhaps, when needing an extra few GB or so of storage just for longer user passwords was less financially feasible, it may have been a decision.




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

1256 posts

Uber Geek
+1 received by user: 163


  Reply # 886200 28-Aug-2013 21:24
3 people support this post
Send private message

I expect it's a largely arbitrary limit and may be related to:

1. customer service - limiting options so that the dullards don't make up a long complicated password and forget
2. historic UI on their own antiquated backend systems, sure it might be hashed in the database now, but the old terminal program still can't handle it
3. because the web developer just put a maxlength on the field out of habit

What annoys me more is minimum lengths and enforced use of various characters, especially for not-exactly-fort-knox websites, "you must choose a password more than 8 characters" "you must have at least 2 numbers" "you must have upper and lower case letters" "you must have a symbol"....





---
James Sleeman
I sell lots of stuff for electronic enthusiasts...




2020 posts

Uber Geek
+1 received by user: 1131


  Reply # 886203 28-Aug-2013 21:33
Send private message

Righto then, now I know a little bit more, I guess I'll go moan about it to the banks I use :)




Location: Dunedin

4164 posts

Uber Geek
+1 received by user: 760

Trusted
Subscriber

  Reply # 886229 28-Aug-2013 22:00
One person supports this post
Send private message

The last time I changed my BNZ password I was unable to use punctuation characters. That, coupled with the eight character limit, is a bit of a worry.

14293 posts

Uber Geek
+1 received by user: 2590

Trusted
Subscriber

  Reply # 886311 29-Aug-2013 07:38
2 people support this post
Send private message

Everyone should be using "correct horse battery staple" as it's the most secure password...




AWS Certified Solution Architect Professional, Sysop Administrator Associate, and Developer Associate
TOGAF certified enterprise architect
Professional photographer




2020 posts

Uber Geek
+1 received by user: 1131


  Reply # 886321 29-Aug-2013 08:26
Send private message

You're right... wait no, no good, it's outside the limits of all the banks I listed :(

:P




Location: Dunedin

767 posts

Ultimate Geek
+1 received by user: 227


  Reply # 886328 29-Aug-2013 08:55
One person supports this post
Send private message

I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.

597 posts

Ultimate Geek
+1 received by user: 98


  Reply # 886330 29-Aug-2013 08:58
Send private message

GregV: I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.


Are you sure? I just tried mine entirely in lowercase and it didn't work.



2020 posts

Uber Geek
+1 received by user: 1131


  Reply # 886331 29-Aug-2013 08:59
Send private message

Holy crap... Could it just be that they have the form strip the case?

Do they have a length limit?




Location: Dunedin

767 posts

Ultimate Geek
+1 received by user: 227


  Reply # 886335 29-Aug-2013 09:08
One person supports this post
Send private message

Kraven:
GregV: I'm pretty sure it has been mentioned on GZ before, but ASB's password is not even case sensitive.


Are you sure? I just tried mine entirely in lowercase and it didn't work.

Maybe it's a one-way thing, and stores everything in lower-case.  I can enter more than one INCORRECT upper-case character in my password, and it logs me in.

EDIT - found previous discussion http://www.geekzone.co.nz/forums.asp?forumid=48&topicid=119744



2020 posts

Uber Geek
+1 received by user: 1131


  Reply # 886348 29-Aug-2013 09:46
Send private message

Man, I should have just accepted this... It just gets worse the more I know.

So Westpac doesn't seem to care about case either (tried it), although that doesn't worry me as much as the length thing.




Location: Dunedin

 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.