This morning I signed up with a major credit card company website. Much to my surprise I was greeted with this requirement while choosing a password:
Your Password should contain 6 to 8 characters . at least one letter and one number (not case sensitive), contain no spaces or special characters (e.g. &, >, *, $, @) and be different from your User ID.
Let's review these limitations:
- 6-8 characters - Requiring a minimum of 6 seems reasonable but still not very strong. Capping the length at 8 seems strange since this is still not very strong and why would you want to prevent someone from using a longer (and probably stronger) password? Unless your database field or legacy systems only support 8 characters ... Does that really mean they are going to store this password in clear text? Maybe they use some sort of arcane encryption or hashing (hopefully) algorithm that limits the digest size to 8 characters. Still seems unlikely.
- At least one letter and one number - This seems like a smart option to force different character sets and improve the password strength.
- (not case sensitive) - What?! This reduces the size of the alphabetical character set by half. This also throws into question whether they are really hashing this password - are there hash algorithms that ignore case? This requirement makes no sense and definitely feels like a requirement for a legacy system.
- No spaces - This is a shame since a non-written character like a space can be a great security mechanism especially when at the start or end of a password since it is invisible if the password is ever written down.
- No ... special characters - Why would you explicitly prevent the use of another character set that can greatly improve the strength of the password? Again this feels like a legacy requirement.
How strong is this password that they are forcing you to use? I took a look through LockDown's Numbers and you can easily see how the number of possible combinations for this password is limited by the lack of character sets and case sensitivity.
I am really glad that I used an auto-generated password for this account. :)
Are you hashing and salting passwords in your applications or do you also have bad password requirements?
Jonathan Cogley is the CEO and founder of Thycotic Software, a .NET consulting company and ISV in Washington DC. Our product, Secret Server is a enterprise password manager system for teams to secure their passwords. Is your team still storing passwords in Excel?