Password : You’re doing it wrong

I’d like to think that I deal with passwords the way most developers do. When dealing with registration or something else that requires the user to provide a password, I follow some general guidelines:

  1. The password must be a minimum length, normally no less than 6 characters

  2. The password’s maximum length is very high (200 characters)

  3. I’ll typically check for at least a mix of letters and numbers. For applications with considerably more sensitive data, I’ll have more requirements – such as mixed casing or special characters.

  4. Hash the password with a salt (the salt can be a fixed string, or something more unique to the user – again based on sensitivity). Salting means that if someone gets access to a dump of your Users table, they’ll still have a hard time logging into the system with a dictionary attack.

  5. Since hashes can’t easily be reversed, send out a new password to users when they forgot password and have them change the temporary password as soon as they log in.

All this is pretty vanilla and you can change an SHA1 hash implementation for some encryption or whatever else tickles your fancy. What I’ve noticed though isn’t that developers are hitting some type of technical hurdle when dealing with password, but rather, a usability one. The point behind bullets 1, 2 and 3 is that users ought to be able to enter anything they want as a password, provided it meets a minimum set of guidelines. As developers, we should try very hard never to impose restrictions which limit the effectiveness of a password. Lately though, I’ve been astonished at some of the limits sites impose on passwords – forcing me to come up with a less secure password than what I would have liked.

Here are some popular sites which have such restrictions:

  • digg only accepts letters and numbers

  • SourceForge only accepts letters and numbers (when you change your password, SourceForge even goes through the trouble of showing you a little dynamic update as you type (weak > normal > strong and then “invalid character” when you enter an exclamation mark)

  • Passport limits password to 16 characters (isn’t Microsoft a champion of passphrases?)

  • MySpace only accepts passwords up to 10 characters long, but at least require 1 number or punctuation character

  • Wikipedia let me register with a password of ‘a’, but at least has very informative help on choosing a strong password. (Additionally, given what an anonymous user can do on Wikipedia, I’m not too disappointed in this policy)

And for sites with better policies:

  • Ebay, PayPal and Google have useful help and accept special characters (PayPal and Google even require at least 8 characters),

  • Twitter and Facebook don’t have any “choosing a strong password” help, but still seem to accept everything

The most shameful site I’ve ever come across though is completely unacceptable – not only because of the ridiculous limitations it puts on passwords, but also the type of data it’s responsible for. The Bank of Montreal’s Mosaik Credit Card (BMO is major Canadian bank), has a password limit of 8 characters and only accepts letters and numbers (there’s actually a maxlength=”8″ attribute on the form).

Here’s a simple rule to follow. If Windows Calculator displays the total number of possible combinations in non-exponential form, you password guidelines suck.

This entry was posted in Uncategorized. Bookmark the permalink. Follow any comments here with the RSS feed for this post.

35 Responses to Password : You’re doing it wrong

  1. Laere says:

    I know it’s a little late, but banks are champions of absurd limitations.

    In France, the LCL Bank has a rather strange policy on passwords:

    they must be exactly 8 characters long, only number, but passwords which are valid dates are forbidden, as passwords which contains twice the same number.

    yes, 12345678 is a valid password
    but 15331456 is not.

    I never found such an awful password policy.

  2. sisakat says:

    I just signed up for my bank’s online thing, and I have to use a pin that is a four to ten digit number. Now that I’ve read this I’m bothered that the place I expect to store my money safely is doing such a shody job of it. I think I’ll bug them about it.

  3. Colin Jack says:

    I’ve noticed exactly the same, Digg was one that stuck in my mind as having ridiculous rules.

  4. I use a tool to remember passwords and it generates strong passwords. They’re about 20 characters long or so.

    It’s great to see that passwords I registered with don’t work simply because the website doesn’t store all 20 characters. I should be able to cut the password with 1 character until I find the stored password, but mostly I let it send me a new one.

    By the way, I stopped reading the blogs here for various reasons. One of them is the extremely wild usage of advertisements. And it’s even getting worse! Please stop! Or come blog at BloggingAbout.NET! 😀

  5. Dave says:

    Amen! You’re spot-on. I ranted about this a while ago, too:

  6. mallio says:

    What’s worse is the investment brokerage sites – Schwab & Ameritrade both have limits of 8 chars and only support a-z0-9. I’m sure they have issues integrating with legacy systems, but for companies that deal with your finances, they’ve got to make it a priority to address these potential vulnerabilities.

  7. Jens says:

    There are better algorithms then sha1 or md5 for password hashing.

    Better in two ways:
    1. they are made for password hashing and therefore are more secure in that context. Basically they are really slow, so any kind of brutforce will be much harder, then with the algorithms mentioned above which are made for speed.

    2. they are easier to use. JBcrypt for example is one class, one line for hashing, one line for checking the password and that includes salting

    I wrote a german article with a little more detail:

    There is a really good one in english:

    And JBCrypt is here

  8. Peter says:

    Even worse is GMail. The characters you can use differ between the various interfaces (POP vs. webmail).

  9. Andre says:

    You should rethink about ebay, because it’s case insensitive, at least here in Germany i can login whith both upper and lower case version of my password.

  10. robf says:

    AIM also does not allow usage of punctuation. This causes me problems, I use a method of level based password schemes. Common passwords are shared amongst several similar applications, eg my instant messaging accounts have a similar password, they tend to be numeric/punctuation/alpha mixes that are easy to remember since they resemble a word, although not explicitly .. financial passwords tend to be much stronger than my already complex passwords and based completely on random patterns, , extremely secure passwords (such as my passphrases for encryption schemes) are to exceed 15 characters and while closer to the common passwords in that they are related to english languager mannerisms, they may be a phrase of unrelated “words” made of mixed characters. such as “d0gle4$sh9r3\)g0[]s3w!n3gr4pE$” or dog leash grey goose wine grapes…. nonsense yet secure… I rarely use these except where security is an extreme concern (ssh keys for very important systems etc)

  11. Vedetta says:

    Use OpenID.

  12. I’m not so convinced of the usefulness of passwords that can reach 200 characters in length.

    From a usability point of view surely the longer the password, the more likely the user is to simply forget it completely or forget the exact sequence of characters. I’d imagine that is the principal thinking behind something like Passport’s password policy.

  13. Mr Peanut says:

    When hashing, use a random salt for every password and store the salt in the same manner as the hash. There’s no benefit in deriving the salt from other user data, and depending on a secret salt, the same for everyone, is just stupid.

  14. Anton says:

    At one point Comerica Bank used a short CustomerID and a 4 digit numeric pin.

    They now ask one of 3 security questions in addition to the poor id and pass.

  15. Robert says:

    I’d say 6-25 min/max character limit, anything the user chooses (no obligations), md5 the sucker (real easy dev wise, and you can’t reverse it, so no DB peeking), and if someone types it in wrong x times, lock em out a few minutes or whatever.

    ….why complicate things when you can KISS it ?

  16. karl says:

    @Tim: good points about the ATM, but I still wish I had the _choice_ to provide more than 4 digits.

    You don’t care what digg’s password policy is – fair enough. But don’t you think it’s a little silly that you can’t use a period in your password if you want to (either as a programmer or as a user)?

  17. tim says:

    Comparing an ATM card with a 4-digit PIN to a password on dig is not a valid comparison. An ATM card is a vary basic form of two factor authentication – you -need- the card to access your information plus know the PIN. It has been surprisingly effective to date.

    Furthermore – banking sites employ a wide measure of tools to protect your data. The password is just one component. Personally I don’t bank with a financial organization that doesn’t provide an option of two factor authentication (such as a securid FOB).

    I also don’t care what digg’s password policy is – they don’t have my data.

  18. Matt says:

    Hmm. My MySpace password is 13 characters.

  19. Frank says:

    The thing to remember about bank passwords, PINs, etc. is that they have very stringent policies of cutting off access after a small number of unsuccessful authorization attempts.

    Even a 4-digit PIN can be effective if four wrong guesses locks the ATM card in the machine.

  20. Andrew L says:

    David: “My newest Bank Of America ATM card wouldn’t let me choose a PIN of more than 4 numbers. Wow!”

    Really? Bizarre, I have a Bank of America ATM card and my pin is 10 characters long.

  21. chzplz says:

    Yeah, sucks too. Password max is 8 characters.

  22. karl says:

    If you goto and hit the Continue without typing anything in, you get this error message under the password field:
    “Crikey! Passwords must be at least 6 characters and can only contain letters and numbers.” Now, this might just be their error message, but I can tell you for sure that at some point, this was a real limitation, as I remember having this problem on digg.

    @Ulrich and The Other Steve:
    I don’t disagree, but the point of my post is that you shouldn’t LIMIT the possibility of entering a complex password. If I want to enter a 50 character password with digits and punctuation, why stop me? Again, the point isn’t what the minimum ought to be, but rather what the maximum shouldn’t be.

  23. The Other Steve says:

    “My newest Bank Of America ATM card wouldn’t let me choose a PIN of more than 4 numbers. Wow!

    Because if it was more than 4 people would have to write it down in their wallet and then there would be no security.

  24. I think the major fault with passwords is that sites are forcing users to use “more than x characters” and “at least one special char”, etc. This leads ppl to fill up passwords with numbers like pw12345678, or to just double their usual pw.

    But the real bad thing about it is that users will write the passwords down. I remember a lot of numbered combinations for all my bank accounts, for example, but I cant remember all the different passwords for my online logins.

    When I look at my Pinboard thats exactly whats on there. One hard password, that I dont wanna forget. You can tell me now that its all my fault, but honestly, who cares that much if his digg account is hacked? Same goes for Sourceforge or Myspace.

    It depends on how important a site is, of course. My bank account is sth different and always has to be perfectly secured. But imo social hacking is much more of a problem than bruteforcing of 8-digit passwords.

  25. The Other Steve says:

    Frankly, I think the worst thing you can do is require a password so complex that people have to write it down to remember it.

    What exactly are you protecting?

    Presumably you’ve hashed your database, so nobody internally can get the password. You’re going to make it harder for people to reverse engineer by not letting people have a copy of the database, right? If someone enters a bad password numerous times you’re going to lock them out, right?

    So how exactly is someone going to hack my account?

    Seems most likely it’s going to be someone who knows me and looks at that post-it note next to my computer.

    So why the requirement for a complicated password nobody can remember?

  26. Ryan says:

    And by “two ones” I meant “two different ones.” :)

  27. Axel says:

    The worst password policy in the world was invented by Oracle. Oracle passwords are case insensitive. Way to remove one bit of entropy per character there, dudes!

  28. Ryan says:

    I agree if you for the most part, but to be fair to Digg they definitely allow punctuation. I have two ones in my password right now.

  29. David says:

    My newest Bank Of America ATM card wouldn’t let me choose a PIN of more than 4 numbers. Wow!

  30. darryl says:

    I think it is actually worse then that, the number letter limit is so you can type the password in for phone banking. So your character set is only 10, rather then 36. Or maybe it has changed since last time I read their rules.

  31. Ronald S WOan says:

    Some historical perspective, earlier versions of BSD UNIX let you type in as many characters you want but only the first 8 characters were considerd…. Took me years before I realized that.

    VM/CMS also had an internal 8 character limit.

  32. mwilson says:

    Washington Mutual was also an 8 character limit, last I checked.

  33. George Mauer says:

    I have recently been using KeePass for all my passwords and Capital One doesn’t accept special characters. CitiAssist (one of the biggest student loans providers) doesn’t accept special characters AND limits passwords to something absurdly small (8 characters maybe?)

  34. There’s a possible denial of service, or at least source of confusion, if you reset the password and email a new one when a user clicks a “forgot my password” link. If I know your email address or username token I can reset your password and deny you access without knowing your password.

    I think a better system is to not change the password immediately, but to send an email to the user with a link that lets them change their password. The link must have a one-time token that can’t be forged. If the user remembers their password or they didn’t initiate the “forgot my password” process their old password still works.

  35. Stefan Moser says:

    I recently tested an integration into a major 3rd party financial application at work. When I was able to successfully login with the wrong password, I found out that they only counted the first 8 characters of your password. You could enter more than 8, but it would only use the first 8 and ignore the rest. When we contacted the company with our concern, they didn’t seem to think it was an issue. 8 characters is enough for a major financial application that handles millions of dollars a day, right?