Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersWebsites and Passwords
1080p

1332 posts

Uber Geek
+1 received by user: 152
Inactive user


#83137 11-May-2011 11:00
Send private message

Here is a little rant I am sure many here understand.

Why is it that websites restrict the password field as much as they do?

Latest experience has been with the TelstraClear Customer Zone portal. "The password must be between 7 and 8 characters and contain no spaces." The no spaces requirement I can understand. Most websites can't seem to manage passwords containing spaces which shouldn't actually be a problem but that is another rant.

But, 7 and 8 characters... Why, for the love of all that is sane, would that restriction be necessary? I am by no means a database expert, but I am sure that storing passwords that are a little longer than that would be feasible, wouldn't it?

I feel the same way about most banks, Kiwibank & WestPac are the exceptions that I know of. Surely encouraging security by allowing any characters and lengthy passwords should be normal practice.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
codyc1515
1598 posts

Uber Geek
Inactive user


  #467861 11-May-2011 11:02
Send private message

I would say passwords greater than 7 characters would be fine, but 7-8, thats just ridiculous.



RedJungle
Phil Gale
1108 posts

Uber Geek
+1 received by user: 46

Trusted
Red Jungle
Subscriber

  #467863 11-May-2011 11:03
Send private message

Often its caused by interfacing with older legacy systems which don't handle passwords well. Sometimes its just plain obtuse security policies.

My pet peeve with this is with BNZ, they force us to use their netguard card system (which I hate) in the name of security. While at the same time having a max length on internet banking passwords of 8 characters.

I would have a more secure password if they would let me.

jbard
1377 posts

Uber Geek
+1 received by user: 17


  #467864 11-May-2011 11:04
Send private message

Limiting the password to 7-8 characters is probably one of the worst security ideas ever, firstly if people don't tend to use a password that long/short then it means it will be written down on a sticky note next to the computer in plain view.

Secondly that makes a brute force or timing attack far quicker, reducing the time taken to crack a semi-hard password from years to hours or less.

Who knows what they were thinking.



Behodar
11099 posts

Uber Geek
+1 received by user: 6082

Trusted
Lifetime subscriber

  #467868 11-May-2011 11:17
Send private message

The other problem is poor validation; when signing up for an account with one site I used a password containing an "&". It accepted this when creating the account but wouldn't let me log in with it. It turns out that it truncated the password to contain everything preceding the "&" and nothing after it. Side note: As I was able to get the password emailed to me, they must not be stored using non-reversible encryption!

muppet
2643 posts

Uber Geek
+1 received by user: 1660

Trusted

  #467872 11-May-2011 11:27
Send private message

I can't believe that 8 characters is enforced on me for my ASB online banking.

It's just stupid.




Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

 

OOOHHHH HYPERFIBRE!

reven
3748 posts

Uber Geek
+1 received by user: 874

Trusted

  #467876 11-May-2011 11:35
Send private message

8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.

but making it 7 or 8 means the brute force attacks only have to check all the 7 to 8 character combinations.

greater than 6 with at numeric and none alphanumeric number is usually a pretty good minimum

 
 
 
 

Shop now for Lego sets and other gifts (affiliate link).
muppet
2643 posts

Uber Geek
+1 received by user: 1660

Trusted

  #467878 11-May-2011 11:39
Send private message

reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.

reven: but making it 7 or 8 means the brute force attacks only have to check all the 7 to 8 character combinations.   greater than 6 with at numeric and none alphanumeric number is usually a pretty good minimum


And this is the problem I have.  For a serious banking site, having the bare minimum and not allowing any more than that seems exceedingly stupid.  It wouldn't surprise me at all to find out ASB are actually storing passwords in the clear (or using some sort of two way encryption) and that's what the limitation is.

Tim




Audiophiles are such twits! They buy such pointless stuff: Gold plated cables, $2000 power cords. Idiots.

 

OOOHHHH HYPERFIBRE!

reven
3748 posts

Uber Geek
+1 received by user: 874

Trusted

  #467881 11-May-2011 11:46
Send private message

muppet:
reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.


nah not hashing, encrypting.  eg RC4 

nzkc
1634 posts

Uber Geek
+1 received by user: 1041


  #467882 11-May-2011 11:46
Send private message

muppet: I can't believe that 8 characters is enforced on me for my ASB online banking.

It's just stupid.


What's even more stupid is that its not case sensitive.  That irks me the most!

CapBBeard
211 posts

Master Geek
+1 received by user: 14


  #467896 11-May-2011 12:21
Send private message

I have to agree, maximum password length, at least maximums that aren't particularly large/sane (like, 8!) really aggravate me.

I can certainly make an exception for older legacy systems, but it seems even reasonably modern/sensitive websites still have this limitation. Sure, there may be a legacy system in behind that but with the risks posed online these days I dont feel all that comfortable about it at times.. to me, having a max password length indicates that they most likely are not hashing Frown

A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!

nate
6473 posts

Uber Geek
+1 received by user: 458

Retired Mod
Trusted
Lifetime subscriber

  #467917 11-May-2011 13:17
Send private message

The ones that irk me are sites that ask for at least one uppercase, one lowercase, one punctuation mark, at least x length, plus it can't have been used before.

You end up with a god awful password you can't remember.  One guy here has his password as "Providerxsucks1!"

 
 
 
 

Shop now on AliExpress (affiliate link).
dontpanic42
1574 posts

Uber Geek
+1 received by user: 11


  #467933 11-May-2011 14:18
Send private message

CapBBeard:
A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!


+1
Use lastpass too.
Although they have just had a slight security scare.
http://blog.lastpass.com/
But to be honest, my master password is strong enough, so I'm not overly worried about it.
I still feel safer than using the same password for every online account.

Nety
2584 posts

Uber Geek
+1 received by user: 5

Retired Mod
Trusted
Lifetime subscriber

  #467936 11-May-2011 14:32
Send private message

nate: The ones that irk me are sites that ask for at least one uppercase, one lowercase, one punctuation mark, at least x length, plus it can't have been used before.

You end up with a god awful password you can't remember.  One guy here has his password as "Providerxsucks1!"


That is to stop qwerty or 123456 or password or any number of other dumb passwords that an amazing number of people otherwise use.







Media centre PC - Case Silverstone LC16M with 2 X 80mm AcoustiFan DustPROOF, MOBO Gigabyte MA785GT-UD3H, CPU AMD X2 240 under volted, RAM 4 Gig DDR3 1033, HDD 120Gig System/512Gig data, Tuners 2 X Hauppauge HVR-3000, 1 X HVR-2200, Video Palit GT 220, Sound Realtek 886A HD (onboard), Optical LiteOn DH-401S Blue-ray using TotalMedia Theatre Power Corsair VX Series, 450W ATX PSU OS Windows 7 x64

CapBBeard
211 posts

Master Geek
+1 received by user: 14


  #467937 11-May-2011 14:37
Send private message

dontpanic42:
CapBBeard:
A while back I started using lastpass (password management system), so went around all the websites I have accounts for bar the really major ones (like banking etc) with the intent of changing them all to random character strings as I no longer needed to remember them. I generally went for a length of around 16 characters (sometimes more, sometimes less), but wow, I'm still somewhat amazed by the number of sites that wouldn't allow me to do this as it was 'too long'!


+1
Use lastpass too.
Although they have just had a slight security scare.
http://blog.lastpass.com/
But to be honest, my master password is strong enough, so I'm not overly worried about it.
I still feel safer than using the same password for every online account.


Yeah to be honest I feel quite safe, there's always going to be risks storing passwords but in this case I think they are rather low. As you say, compared to using the same or similar or similarly derived etc passwords across a number of sites, I'll take lastpass any day. Sounds as though they were being overly cautious more than anything, which I've no problem with.

kyhwana2
2572 posts

Uber Geek
+1 received by user: 233


  #467949 11-May-2011 15:16
Send private message

reven:
muppet:
reven: 8 is usually for a encryption method, where encrypting the 8 characters becomes 50 or so and storing that in the db.


Are you talking about hashing? If so length doesn't matter.  Storing hashes is the right way to store passwords as it's a one way operation. You can't restore a password from a hash, but you can brute force it or check against rainbow tables.


nah not hashing, encrypting.  eg RC4 


No, you're getting those confused. A MD5 hash takes an arbitary length and converts it to a  128 "unique" hash of the input. That is, the output is always 128bits.

RC4 is a symmetric crypto algorithm. It generates a psuedo random number stream (It's called a stream cipher for a reason) that you take and then xor each bit of your plaintext against.

Things like AES work similarly. If you have 8 bytes of plaintext, you get 8 bytes of ciphertext.
 

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright