Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1332 posts

Uber Geek
Inactive user


# 83137 11-May-2011 11:00
Send private message

Here is a little rant I am sure many here understand.

Why is it that websites restrict the password field as much as they do?

Latest experience has been with the TelstraClear Customer Zone portal. "The password must be between 7 and 8 characters and contain no spaces." The no spaces requirement I can understand. Most websites can't seem to manage passwords containing spaces which shouldn't actually be a problem but that is another rant.

But, 7 and 8 characters... Why, for the love of all that is sane, would that restriction be necessary? I am by no means a database expert, but I am sure that storing passwords that are a little longer than that would be feasible, wouldn't it?

I feel the same way about most banks, Kiwibank & WestPac are the exceptions that I know of. Surely encouraging security by allowing any characters and lengthy passwords should be normal practice.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
1598 posts

Uber Geek
Inactive user


  # 467861 11-May-2011 11:02
Send private message

I would say passwords greater than 7 characters would be fine, but 7-8, thats just ridiculous.

Phil Gale
1108 posts

Uber Geek

Trusted
Red Jungle
Subscriber

  # 467863 11-May-2011 11:03
Send private message

Often its caused by interfacing with older legacy systems which don't handle passwords well. Sometimes its just plain obtuse security policies.

My pet peeve with this is with BNZ, they force us to use their netguard card system (which I hate) in the name of security. While at the same time having a max length on internet banking passwords of 8 characters.

I would have a more secure password if they would let me.




Red Jungle: we make fantastic software

RSS  Twitter  Facebook  Skype

 
 
 
 


1371 posts

Uber Geek


  # 467864 11-May-2011 11:04
Send private message

Limiting the password to 7-8 characters is probably one of the worst security ideas ever, firstly if people don't tend to use a password that long/short then it means it will be written down on a sticky note next to the computer in plain view.

Secondly that makes a brute force or timing attack far quicker, reducing the time taken to crack a semi-hard password from years to hours or less.

Who knows what they were thinking.

6875 posts

Uber Geek

Trusted
Lifetime subscriber

  # 467868 11-May-2011 11:17
Send private message

The other problem is poor validation; when signing up for an account with one site I used a password containing an "&". It accepted this when creating the account but wouldn't let me log in with it. It turns out that it truncated the password to contain everything preceding the "&" and nothing after it. Side note: As I was able to get the password emailed to me, they must not be stored using non-reversible encryption!

2182 posts

Uber Geek

Trusted

  # 467872 11-May-2011 11:27
Send private message

I can't believe that 8 characters is enforced on me for my ASB online banking.

It's just stupid.




I hate you.


3465 posts

Uber Geek

Trusted

  # 467876 11-May-2011 11:35
Send private message

8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.

but making it 7 or 8 means the brute force attacks only have to check all the 7 to 8 character combinations.

greater than 6 with at numeric and none alphanumeric number is usually a pretty good minimum

2182 posts

Uber Geek

Trusted

  # 467878 11-May-2011 11:39
Send private message

reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.

reven: but making it 7 or 8 means the brute force attacks only have to check all the 7 to 8 character combinations.   greater than 6 with at numeric and none alphanumeric number is usually a pretty good minimum


And this is the problem I have.  For a serious banking site, having the bare minimum and not allowing any more than that seems exceedingly stupid.  It wouldn't surprise me at all to find out ASB are actually storing passwords in the clear (or using some sort of two way encryption) and that's what the limitation is.

Tim




I hate you.


 
 
 
 


3465 posts

Uber Geek

Trusted

  # 467881 11-May-2011 11:46
Send private message

muppet:
reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.


nah not hashing, encrypting.  eg RC4 

786 posts

Ultimate Geek


  # 467882 11-May-2011 11:46
Send private message

muppet: I can't believe that 8 characters is enforced on me for my ASB online banking.

It's just stupid.


What's even more stupid is that its not case sensitive.  That irks me the most!

202 posts

Master Geek


  # 467896 11-May-2011 12:21
Send private message

I have to agree, maximum password length, at least maximums that aren't particularly large/sane (like, 8!) really aggravate me.

I can certainly make an exception for older legacy systems, but it seems even reasonably modern/sensitive websites still have this limitation. Sure, there may be a legacy system in behind that but with the risks posed online these days I dont feel all that comfortable about it at times.. to me, having a max password length indicates that they most likely are not hashing Frown

A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!

6364 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 467917 11-May-2011 13:17
Send private message

The ones that irk me are sites that ask for at least one uppercase, one lowercase, one punctuation mark, at least x length, plus it can't have been used before.

You end up with a god awful password you can't remember.  One guy here has his password as "Providerxsucks1!"

1574 posts

Uber Geek


  # 467933 11-May-2011 14:18
Send private message

CapBBeard:
A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!


+1
Use lastpass too.
Although they have just had a slight security scare.
http://blog.lastpass.com/
But to be honest, my master password is strong enough, so I'm not overly worried about it.
I still feel safer than using the same password for every online account.

2584 posts

Uber Geek

Mod Emeritus
Trusted
Lifetime subscriber

  # 467936 11-May-2011 14:32
Send private message

nate: The ones that irk me are sites that ask for at least one uppercase, one lowercase, one punctuation mark, at least x length, plus it can't have been used before.

You end up with a god awful password you can't remember.  One guy here has his password as "Providerxsucks1!"


That is to stop qwerty or 123456 or password or any number of other dumb passwords that an amazing number of people otherwise use.







Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64

202 posts

Master Geek


  # 467937 11-May-2011 14:37
Send private message

dontpanic42:
CapBBeard:
A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!


+1
Use lastpass too.
Although they have just had a slight security scare.
http://blog.lastpass.com/
But to be honest, my master password is strong enough, so I'm not overly worried about it.
I still feel safer than using the same password for every online account.


Yeah to be honest I feel quite safe, there's always going to be risks storing passwords but in this case I think they are rather low. As you say, compared to using the same or similar or similarly derived etc passwords across a number of sites, I'll take lastpass any day. Sounds as though they were being overly cautious more than anything, which I've no problem with.

2460 posts

Uber Geek


  # 467949 11-May-2011 15:16
Send private message

reven:
muppet:
reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.


nah not hashing, encrypting.  eg RC4 


No, you're getting those confused. A MD5 hash takes an arbitary length and converts it to a  128 "unique" hash of the input. That is, the output is always 128bits.

RC4 is a symmetric crypto algorithm. It generates a psuedo random number stream (It's called a stream cipher for a reason) that you take and then xor each bit of your plaintext against.

Things like AES work similarly. If you have 8 bytes of plaintext, you get 8 bytes of ciphertext.
 

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42


Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30


JBL launches headphones range designed for gaming
Posted 13-Jan-2020 09:59


Withings introduces ScanWatch wearable combining ECG and sleep apnea detection
Posted 9-Jan-2020 18:34


NZ Police releases public app
Posted 8-Jan-2020 11:43


Suunto 7 combine sports and smart features on new smartwatch generation
Posted 7-Jan-2020 16:06


Intel brings innovation with technology spanning the cloud, network, edge and PC
Posted 7-Jan-2020 15:54


AMD announces high performance desktop and ultrathin laptop processors
Posted 7-Jan-2020 15:42


AMD unveils four new desktop and mobile GPUs including AMD Radeon RX 5600
Posted 7-Jan-2020 15:32


Consolidation in video streaming market with Spark selling Lightbox to Sky
Posted 19-Dec-2019 09:09


Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32


Vodafone 5G service live in four cities
Posted 10-Dec-2019 08:30


Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01


NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.