Password Limitations: Financial Website Experience – 2
In Part 1, I introduced the topic of password restrictions and how they weaken passwords. I was especially upset with financial institutions making login less secure.
The next part of the story is my interactions with one company. First, here is an email I sent to customer service.
I can access my account online, that's fantastic.
To log in to my account, I enter a username and password, that's normal. There are also some security questions, nothing out of the line there.
However, there are severe restrictions on the password. I think this is completely unacceptable, especially for a financial institution. You are practically requiring customers use an unsecure password.
The password must be a minimum length, fine, but there is a maximum length of 10 characters. That's inexcusable.
Furthermore, special characters (such as !@#$% etc.) are not allowed. That's awful.
My guess is that special characters are not allowed so as to prevent SQL insertion or cross-site scripting attacks. If so there are more acceptable ways to get around those problems than limiting the character set in passwords.
My only guess as to why you would limit the size of the password is that you save the password in the clear in some database entry and the schema limits the size of entries. If so, that's an unpardonable sin when you're protecting clients' money.
Please let me know why you limit password length and disallow special characters. And please let me know if there are any plans in the future to fix this absolutely horrendous situation.
The response I received said they understood my concern and appreciated I spent the time to send my comments. The individual who responded said he would forward my concern on to a "feedback" team where it would be analyzed.
The writer then said the company was in the process of making changes to how customers will access their accounts online.
There was no answer as to why they do what they do. So I still don't know. But the email response did say if they can be of further assistance, to please call, and gave a phone number.
I called. I asked. The person on the other end said he would forward my question on to the appropriate people and get back to me.
The questions he passed on were, "Why the restrictions on passwords?" and "Will the new procedures allow the password to be stronger?"
So I still don't know, but it appears I am getting closer to a response.