Password Limitations: My Experience With a Financial Website (Part 1)
You probably have several online accounts. Or you have bank, credit card, or other financial accounts that have online access. For these accounts you most likely log in with a username and password. When setting up the account and choosing a password, the website will often impose requirements on the password, such as minimum length, or must contain at least one upper-case letter and one number. But they often place limits on the password. Maybe there's a limited length or you are not allowed to use upper-case letters or special characters (such as #$%^ etc.).
I think that's awful. The more restrictions you put on passwords, the easier they are to crack. I think you would be hard-pressed to find anyone in the computer security industry who would disagree with that.
Financial institutions (banks, brokerages, investment companies) are protecting our money. They are protecting enormous sums of money. So you think they would be very interested in making sure their online security is strong. However, many financial companies are some of the worst offenders in placing restrictions on passwords.
One company I work with has limitations. I decided to look into it. I wanted to find out why they have limitations and then see if I could somehow convince anyone to change their policy. So this is my story.
Part 1 of the story. Why?
First, I decided to look around on the web to see if there was any good reasons for limiting passwords. Mostly what I found was people complaining about it. There were some who gave reasons, but then would say they are bad reasons. For example …
- They prevent SQL insertion or cross-site scripting attacks. However, there are other ways to prevent these attacks. It's just that the cheapest and easiest way is to limit password characters.
- Passwords are stored in a database and the schema puts limits on characters and size. Of course, this is bad because passwords should not be stored.
- If you allow long, complicated passwords, then customers will use long, complicated passwords. They will forget them and you will have all the costs of password reset. Is password reset really so expensive? And will people forget more secure passwords at that much of a greater rate than shorter, easier ones?
- The code underneath is legacy COBOL code and can't handle anything other than letters and numbers.
- The code is on IBM mainframe and they have problems with EBCDIC and code pages.
- They are worried about computer keyboards in different countries.
I couldn't find anyone who admitted to writing the code that limited passwords, so I didn't get an explanation from the horse's mouth. But the speculation I found seems like it is probably close to the truth.
Part 2 of the story: Check my accounts
Many of my online accounts allow long passwords that contain special characters. Some of them were even financial institutions. Hence, I know it can be done.
I also accessed accounts from Europe and Asia. When I was on vacation in Europe and on a business trip in Asia, I accessed some accounts that did allow special characters. They worked. In Europe it took me awhile to figure out the special characters on the keyboards I used, but they worked.
Part 3 of the story: Go to the source
My next step was to contact one of these online companies and ask why they limit passwords.
I'll continue this part of the story in the next post.