Friday 28 August 2009

Stop imposing maximum password lengths!

I recently got a letter from Medicare Australia asking me to sign up to their online services, so I can make claims online or something (I'm young and healthy and generally deal with Medicare less than once a year but figured I'd go along with it anyway, whatever...). After signing up and having them mail me (not e-mail, real actual mail... more secure perhaps?) a password to log in, I got to the stage of logging in for the first time, setting up my account with security questions and a new password...

At which point I discovered
Your new password will be case sensitive and must contain:
  • eight characters in total
  • at least one (1) letter and one (1) number.
The password policy can also be seen here for those without a Medicare account, if you scroll down to 'Passwords'.

At first I thought nothing of it, the usual password restrictions, security conscious etc, but then found that eight characters in total was not just a minimum, it was a maximum as well! Ridiculous. What possible reason could they have to limit my maximum password length?

Perhaps management have insisted that all fields on the website have a fixed length so that the cursor can be automatically advanced between fields when the user has typed in their details. While this can be a nice feature for the very computer illiterate, it's forcing a reduction in password security (and is often implemented poorly so that it becomes quite difficult to correct mistakes in the last character of input fields).

Perhaps they store passwords in clear-text in an 8-byte database field... sigh... surely not... I hope not.

Perhaps they think users will forget long passwords, but let's face it, most users either have their web browser remember all their passwords, or have their own standard memorable password (be it secure or not) that is quite possibly not 8 characters long... if it's about not forgetting passwords, don't force them to make a new 8 character version for your site!

Eight characters seems to be considered a minimum for a secure passwords, definitely not a maximum... About 10 years ago I remember a lot of websites had these kinds of password length limits, typically forcing users to have a password between 6 and 8 characters, but there's just no excuse for it these days.

Stop forcing us to have insecure 8-character passwords!

EDIT: As commenter Charles has pointed out, some websites crop your password to the first 8 characters, which is even worse than Medicare's practice!

It's a reasonably common practice to add a few words, numbers, symbols, acronyms, etc together to make up a memorable password (for those who don't have randomly generated ones). For example, "elephant#43spiced" might be reasonably secure in that it's two separate dictionary words, a number and a symbol in some arbitrary order. It might also be very memorable if your favourite animal is the elephant, and your favourite menu item at the local Thai joint is Spiced Chicken Soup and appears 43rd on the menu...

Alas, if your bank only uses/checks the first 8 characters, your password is now a simple dictionary word: "elephant". Bugger. Despite all your efforts to include numbers and symbols and make it more complicated, its really not that secure at all.

The worst part is, you probably don't even know that your password is insecure. If they'd told you that your password should be 8 characters only, then at least you could have made it "spiced#43elephant" for a much more secure cropped password of "spiced#4".

So check your passwords — try logging into your important accounts (e-mail, banking, share trading, anything that has your credit card details saved like eBay and Amazon...) with just the first 8 characters... Perhaps you need to change passwords to make the first 8 characters secure, and perhaps you have a spare 5 minutes to e-mail the webmaster of the site to ask them to fix up this gaping security hole!

4 comments:

Charles said...

NAB bank does this too, but they don't tell you about it. Imagine the WTF I felt when I logged in a few weeks later with just the first 8 letters of my password!

Anonymous said...

Wow, yet another reason to hate NAB (I had some bad experiences with them earlier this year :p). But that's just ridiculous... I wonder how many other sites out there are only using the first 8 chars, possibly reducing people's passwords to a simple dictionary word...

I imagine there are plenty of people who use a simple word and stick a number or two on the end to be "secure"...

Franklin Davis said...

One web site I ran across truncated your password when it was stored in the database if it was over a certain length. However, if you tried to log in later with the full-length password, it would compare the full-length password to the truncated version and report the password as incorrect. I figured out what it was doing through trial and error.

I would guess, based on this behavior, that the password was probably stored as plain text.

Abel Braaksma said...

I totally agree with the full post and password lengths should be arbitrary. A 255 length limit (Linux) or a 127 length limit (older Windows)I can live with.

Much to my surprise, I found out that IBM AIX has a fixed password length of 8 characters!. Perhaps that's the reason some systems truncate your passwords.

But unless some online service provider wants to give you access to their operating system, they can simply use a field in the database of any length, or better yet, hash the value in which case no length restrictions apply. Period.