Friday 28 August 2009

Stop imposing maximum password lengths!

I recently got a letter from Medicare Australia asking me to sign up to their online services, so I can make claims online or something (I'm young and healthy and generally deal with Medicare less than once a year but figured I'd go along with it anyway, whatever...). After signing up and having them mail me (not e-mail, real actual mail... more secure perhaps?) a password to log in, I got to the stage of logging in for the first time, setting up my account with security questions and a new password...

At which point I discovered
Your new password will be case sensitive and must contain:
  • eight characters in total
  • at least one (1) letter and one (1) number.
The password policy can also be seen here for those without a Medicare account, if you scroll down to 'Passwords'.

At first I thought nothing of it, the usual password restrictions, security conscious etc, but then found that eight characters in total was not just a minimum, it was a maximum as well! Ridiculous. What possible reason could they have to limit my maximum password length?

Perhaps management have insisted that all fields on the website have a fixed length so that the cursor can be automatically advanced between fields when the user has typed in their details. While this can be a nice feature for the very computer illiterate, it's forcing a reduction in password security (and is often implemented poorly so that it becomes quite difficult to correct mistakes in the last character of input fields).

Perhaps they store passwords in clear-text in an 8-byte database field... sigh... surely not... I hope not.

Perhaps they think users will forget long passwords, but let's face it, most users either have their web browser remember all their passwords, or have their own standard memorable password (be it secure or not) that is quite possibly not 8 characters long... if it's about not forgetting passwords, don't force them to make a new 8 character version for your site!

Eight characters seems to be considered a minimum for a secure passwords, definitely not a maximum... About 10 years ago I remember a lot of websites had these kinds of password length limits, typically forcing users to have a password between 6 and 8 characters, but there's just no excuse for it these days.

Stop forcing us to have insecure 8-character passwords!

EDIT: As commenter Charles has pointed out, some websites crop your password to the first 8 characters, which is even worse than Medicare's practice!

It's a reasonably common practice to add a few words, numbers, symbols, acronyms, etc together to make up a memorable password (for those who don't have randomly generated ones). For example, "elephant#43spiced" might be reasonably secure in that it's two separate dictionary words, a number and a symbol in some arbitrary order. It might also be very memorable if your favourite animal is the elephant, and your favourite menu item at the local Thai joint is Spiced Chicken Soup and appears 43rd on the menu...

Alas, if your bank only uses/checks the first 8 characters, your password is now a simple dictionary word: "elephant". Bugger. Despite all your efforts to include numbers and symbols and make it more complicated, its really not that secure at all.

The worst part is, you probably don't even know that your password is insecure. If they'd told you that your password should be 8 characters only, then at least you could have made it "spiced#43elephant" for a much more secure cropped password of "spiced#4".

So check your passwords — try logging into your important accounts (e-mail, banking, share trading, anything that has your credit card details saved like eBay and Amazon...) with just the first 8 characters... Perhaps you need to change passwords to make the first 8 characters secure, and perhaps you have a spare 5 minutes to e-mail the webmaster of the site to ask them to fix up this gaping security hole!