Security Fail : The Password Opression

In Commentary by jayden.macrae

It beggers belief that we are still faced with websites today that protects relatively sensitive informaiton that impose maximum password limits!

I like using strong passwords. Some times, my passwords are quite long. The generally accepted best practice is to hash passwords and store the hash and not the password itself. Consequently, what does it matter if I have a password that is very long. It has no impact on the amount of data needed in the back end system to store it; as all hashes will be the same length.

This false limit simply weakens the whole site infrastructure.

This screenshot comes from a very popular Payroll provider. They hold information about my staff and it allows the processing of payrolls. It is one very small step removed from my actual bank.

Imagine my horror when I went to change my password from the original supplied to me by the company and I got an error message saying my password had to be between 6 and 10 characters.

Even if you gloss over that fact that 6 characters is probably just a little short to protect such important information, the initial instructions on the right only tell me it must be longer than 6 characters and then gives me some advice about using upper and lower case characters as well as special characters.

Read this good synopsis on password entropy here.