My Pet Peeve: Maximum Length Passwords



  • Perhaps having subscribed to the XKCD philosophy on passwords, I am often mildly concerned for my safety when confronted with the following:

    I am referring to the password's maximum length of 20 characters.

    I only know the basics of password/session security, but as I understand it, passwords are hashed into a 32-character string. Why then, can I not get an extra 12 characters in my password?

    This particular example comes out of ProcessMaker, which already looks to me to be a deadline-induced regurgitation - at least it has a single standard. When I am told a maximum length but that it must contain a number, an upper-case character, a lower-case character, and the batman symbol, feel a new level of hypocrisy is being achieved. "You can make it secure, but not too secure!". Did I check the box saying "You have my consent to perform logical fallacio on me"? I think not.

    Correct me if I'm wrong in my assertions, but otherwise, in the interests of naming and shaming, I would be very interested in starting a rumour that certain banks or



  • i recently tried to change my password with the aforementioned bank to something more secure, and ended up just not doing it because their password policies dont allow me to enter a password long enough to feel secure but memorable enough for me to remember (i follow a variation on the pass-phrase idea)




    Microsoft don't allow spaces for live/msdn/hotmail accounts, but they are far from worst offender for this. Only allowing alpha-numeric characters is hugely frustrating for me and probably means I wont register for something, or will use an insecure password if I do.



  • @Shoreline said:

    I only know the basics of password/session security, but as I understand it, passwords are hashed into a 32-character string.
    You are, of course, presuming it is being hashed.



    It may, or may not, be of interest that there is one common library out there that does hash (along with unique salts and configurable number of rounds,) but it can only handle up to 72 characters.



  • @Shoreline said:

    Perhaps having subscribed to the XKCD philosophy on passwords,
     

    Except that as far as I understand it, a proper english passphrase + dictionary attack will reduce an n-word password to an n-symbol one, significantly reducing strength.

    And (more conjecture!) a dictionary attack is quick and painless enough to do it anyway just to be sure, before you try the real brute force methods.



  • You shouldn't be using passwords that can be easily committed to memory for online services, otherwise you're opening yourself up for a shoulder-surfing attack.. GE 4ip2]k-tB ;.1QaE4,ekjQ**- has a lot more entropy then correct horse battery staple, and you should be using something like KeePass or LastPass to type it rather then using the same password everywhere or memorizing several dozen different passwords.

    Plus it doesn't tear apart at the seams when you need to enter a short password.

    My password WTF: People who think that masked password fields add security. I'm glad that Windows 8 gives you the option to show the password at the OS level.



  • @MiffTheFox said:

    you're opening yourself up for a shoulder-surfing attack..
     

    I am really not concerned with those "attacks".

    @MiffTheFox said:

    My password WTF: People who think that masked password fields add security.

    And apparently neither are you...

     

    But maybe I'm stupid! I've been stupid before!

     



  • @dhromed said:

    @Shoreline said:

    Perhaps having subscribed to the XKCD philosophy on passwords,
     

    Except that as far as I understand it, a proper english passphrase + dictionary attack will reduce an n-word password to an n-symbol one, significantly reducing strength.

    And (more conjecture!) a dictionary attack is quick and painless enough to do it anyway just to be sure, before you try the real brute force methods.

    bear in mind that the set of symbols in the dictionary is pretty large, a VERY conservative estimate (not considering stuff like replacing I with 1, or a with @, or names, or obsolete words, etc etc etc) would be the 171,476 words that appear in the second edition 20 volume Oxford English Dictionary. I dont know maths, but im pretty sure a brute force dictionary attack reducing each word to symbols, considering the size of the symbol set, isn't going to be very fast. Thats why dictionary attacks came about in the first place, as a shortcut before having to brute force the full combinations of random characters.

    now if you make it a sense based attack, wherein the password must make a sentence or somehow make sense (e.g. "the dog is barking") then you SIGNIFICANTLY reduce your count of combinations. but it is still going to take quite a while. Just steal the damn hashes.



  • @dhromed said:

    @MiffTheFox said:

    you're opening yourself up for a shoulder-surfing attack..
     

    I am really not concerned with those "attacks".

    @MiffTheFox said:

    My password WTF: People who think that masked password fields add security.

    And apparently neither are you...

     

    But maybe I'm stupid! I've been stupid before!

     

    You have five seconds to commit to memory a 30-character string, including upper case and lower case letters (case matters), digits, punctuation, and spaces.

    And yes, I've been hacked by such an attack before.



  • @MiffTheFox said:

    My password WTF: People who think that masked password fields add security. I'm glad that Windows 8 gives you the option to show the password at the OS level.

    Agreed. But I can understand why browser-based apps may want to do this as they won't know who's looking over your shoulder.

    Much worse, though, is the fucking iPhone wifi key entry form. Having to type in 64 upper case characters, blind, pressing shift between each one, and then simply getting "Failed to join network" is soul-destroying. Surely a tickbox to "show characters" would not be beyond Apple. I mean... who shoulder-surfs an [i]iPhone[/i]...?



  • @Algorythmics said:

    171,476 words
     

    That's, uh, a pretty good point.



  • @skotl said:

    I mean... who shoulder-surfs an iPhone...?
     

    Everybody next to you in the subway, I guess...



  • @dhromed said:

    @Algorythmics said:
    171,476 words

    That's, uh, a pretty good point.

    I like to throw in some easy to remember spanish words, too, just to sweeten the key space.



  • @dhromed said:

    @Shoreline said:

    Perhaps having subscribed to the XKCD philosophy on passwords,
     

    Except that as far as I understand it, a proper english passphrase + dictionary attack will reduce an n-word password to an n-symbol one, significantly reducing strength.

    The calculations in the comic account for that fact; it's still stronger than a single leeted word. 

    @MiffTheFox said:

    My password WTF: People who think that masked password fields add security.

    If you never enter passwords in public places or you live somewhere where not everyone carries a device capable of photography with them all the time, than that certainly is the case.



  • @dhromed said:

    Except that as far as I understand it, a proper english passphrase + dictionary attack will reduce an n-word password to an n-symbol one, significantly reducing strength.

    You'll have to explain that. How is a word different from a symbol?

    Edit: Apparantly everyone has already slaughtered your comment, so nevermind. XKCD also uses a conservative 11 bits per word, whereas a normal vocabulary is probably between 13-16 [1].

    @MiffTheFox said:

    [...] you should be using something like KeePass or LastPass to type it
    rather then using the same password everywhere or memorizing several
    dozen different passwords.

    That's nice, but all banks around here use a shitty java app for login (BankID) which doesn't allow pasting or auto-typing. Same for most PC games that require a login.

    @MiffTheFox said:

    My password WTF: People who think that masked password fields add security.

    Projectors. What do they use at your office? Written handouts?



  • @derari said:

    leeted
     

    At first glance I thought that was a typo.



  • @Faxmachinen said:

    You'll have to explain that. How is a word different from a symbol?
     

    It's not. That's my point, and also my point of failure. I recommend reading threads before replying.



  • I must try to remember what site these conditions were from:

    • Must be between 8 - 10 characters
    • No special symbols allowed
    • Must change every 3 months and can never re-use a prior password


  • I guess projectors and similar screen sharing are the one case where masking password fields is useful.

    @derari said:

    If you never enter passwords in public places or you live somewhere where not everyone carries a device capable of photography with them all the time, than that certainly is the case.

    Look down when entering a password, specifically where your hands are. The keyboard, whether physical or virtual, is as big a security risk, and there's no way to mask that.



  • @dhromed said:

    I recommend reading threads before replying.
     

    Indeed.



  • Hah, I'd be happy if every login I used allowed a password of 20 chars. My bank only allows a password length of 8. EIGHT!

    What's worse though are those sites that simply cut-off your password at a random length and never tell you, and then you wonder why your password doesn't work. Seems to be especially popular in government websites dealing with important documents. Such as student loans. In Ontario.
    I'm looking at you, OSAP.



  • @dhromed said:

    @skotl said:

    I mean... who shoulder-surfs an iPhone...?
     

    Everybody next to you in the subway, I guess...

    ...while you are entering your personal wifi key? Don't think so...



  • @Shoreline said:

    XKCD philosophy on passwords,
     

    Oh goodie, we haven't argued about that one in a while.

    @Shoreline said:

    I only know the basics of password/session security, but as I understand it, passwords are hashed into a 32-character string. Why then, can I not get an extra 12 characters in my password?

    Because the programmers making the site are incompetent and don't know how websites, databases, parametrized queries or hashing works. There really is no other answer.

    At least it's only limited to small, mom-and-pop banks, and not something like American Express.

    @American Express, can't be arsed to link said:

    Password must be no longer than 12 characters, and may not contain any special characters.

    Fuck.

    Here's a hard and fast rule when it comes to passwords: if you think that any character is special, you've failed. Resign your position and leave the industry.



  • @garrywong said:

    What's worse though are those sites that simply cut-off your password at a random length and never tell you, and then you wonder why your password doesn't work.

    This. I've also come across a system that doesn't hash/store passwords with spaces correctly, but neglects to tell you this.



  • @MiffTheFox said:

    Look down when entering a password, specifically where your hands are. The keyboard, whether physical or virtual, is as big a security risk, and there's no way to mask that.

    This brings us back around to the original topic - max length passwords.  The parental controls PIN on our Tivo box is 4 digits long.  Since we rarely use the numeric keypad on the remote for anything except entering the PIN (change channels by number?  who does that anymore with on-screen guides!), the keys involved in the PIN are getting worn down more than the others.  If we could use all of the keys when entering the PIN, that wouldn't be a problem, but since we can't, if our kids are smart enough, they'll be able figure out which digits are in the PIN, significantly reducing the keyspace.

    In this case, it's not so dangerous, because all that will happen is that they'll get to TV and movies we don't want them to, and we'll eventually catch them and there will be serious consequences (and they know that and so far, anyway, they've shown that they respect consequences).  But it'd be a bigger problem if this were, say, a PIN-pad for a front door lock.



  • Our password management for the software I developed for work uses a strong salt/hash scheme that means there is no way we can look up a user in our database and figure out their password. And I've butted heads multiple times with coworkers who want this changed because clients forget their passwords and would rather have us read it off to them instead of setting it to P@ssword12345 so they can log in and change it themselves. I refused to change the scheme. This is one case where the client is never right. But I think other companies give in and that's why so many do not handle passwords in a secure manner.



  • @RobFreundlich said:

    change channels by number?  who does that anymore with on-screen guides
    Given the sparsity of channels that have stuff on that I want to watch, all the time - it's quicker.



  • @RobFreundlich said:

    Since we rarely use the numeric keypad on the remote for anything except entering the PIN (change channels by number?  who does that anymore with on-screen guides!)

    For most things, I'm watching from the DVR. But there are a few channels to which I regularly tune manually, and they're hundreds of channels apart, so I've memorized them and use them all the time.

    IT'S LIKE A CLI FOR MY TV!



  • @RobFreundlich said:

    the keys involved in the PIN are getting worn down more than the others
     

    Forget that. Let me introduce you to the motherfucking wonders called "Touch screen credit card terminals". They're just like regular checkout terminals, except instead of having a physical keypad, they have a touchscreen. This is a brillant upgrade because:

    1) With no haptic feedback. There's no distinct keys. There's no raised bump on the 5. You can't blindly enter your pin via touchtype. Effectively, you can't cover the touchpad with one hand for protection and type with the other, because you can't see what you're doing.  Hope the person behind you isn't shoulder surfing you as you type your PIN on the brightly lit terminal with massive, oversized glowing buttons.

    2) Just in case you do manage to hide your PIN from the shoulder surfer, it's trivially easy for someone to steal your PIN. First wipe down the terminal screen. That should be easy if you're ahead in the line, or you're the cashier.  Let your victim checkout.  Check the screen for four distinct, highly noticeable fingerprints!  Not only does that reduce the keyspace, but with a trivial amount of work, you can probably figure out the order of the keypresses based on the relative level of finger oil left on each imprint.

     



  • @Lorne Kates said:

    Here's a hard and fast rule when it comes to passwords: if you think that any character is special, you've failed. Resign your position and leave the industry.
    I like it.  It almost falls true for emails too.  Maybe for emails can be: If you validate it anyway other than checking for [@.*] or sending an actual email, then you've failed.



  • @garrywong said:

    Hah, I'd be happy if every login I used allowed a password of 20 chars. My bank only allows a password length of 8. EIGHT!
    My bank takes a PIN of length 6. But I'd be more worried if they didn't lock out access to my account after, say 5 login failures. But thank you for reminding me it's time to change the PIN once again.

    @garrywong said:

    What's worse though are those sites that
    simply cut-off your password at a random length and never tell you, and
    then you wonder why your password doesn't work.
    Yeah, they could at least have the decency of being consistent in their cutting.



  • @Zecc said:

    @garrywong said:
    What's worse though are those sites that
    simply cut-off your password at a random length and never tell you, and
    then you wonder why your password doesn't work.
    Yeah, they could at least have the decency of being consistent in their cutting.
     

    I always store passwords as newid() and a random salt. Nobody can bruteforce them. Nobody can log in either, but that's beside the point.



  • @mott555 said:

    Our password management for the software I developed for work uses a strong salt/hash scheme that means there is no way we can look up a user in our database and figure out their password. And I've butted heads multiple times with coworkers who want this changed because clients forget their passwords and would rather have us read it off to them instead of setting it to P@ssword12345 so they can log in and change it themselves. I refused to change the scheme. This is one case where the client is never right. But I think other companies give in and that's why so many do not handle passwords in a secure manner.

    Very this.  The real hard part comes when the customer is writing the spec (contract work) and specifically asks for this.  It's one of the things you can recommend they don't do, but nothing you can do if they insist (if you are at a contract work shop rather than doing it personally anyway).



  • @Sutherlands said:

    If you validate it anyway other than checking for [@.*]

    You failed. The period isn't required.



  • @blakeyrat said:

    @Sutherlands said:
    If you validate it anyway other than checking for [@.*]
    You failed. The period isn't required.

    If you are validating using something like that then having the period is part of the point.  It's to catch people doing: myname@myispcom instead of myname@myisp.com, not to actually see if the address is technically valid.



  • My bank uses a form of 2 factor authentication, however both factors are passwords.

    I have what they call a 'Phonebank' password - if I phone the bank I have to identify myself with serveral peices of information, like date of birth etc, and they will also ask for several specific characters from the phonebank password, i.e. the 2nd and 6th letters. This means the phonebank password is not encrypted, as otherwise they would not be able to ask me for specific characters

    When I use online banking, I am first asked for my ID number and my password, which is my Phonebank password in full. After this I am asked for 3 specifically numbered characters from my internet banking password, i.e. 1st, 5th and 9th character (which are selected from dropdown lists, presumably from some misguided attempt to mitigate keyloggers). This means that the internet banking password is also not encrypted.

    So,this mean that neither of the 2 passwords required for the online banking 2-factor authentication are stored encrypted.

    This is one of the largest and oldest UK banks.

    Joy.



  • @blakeyrat said:

    @Sutherlands said:
    If you validate it anyway other than checking for [@.*]

    You failed. The period isn't required.

    Would you like to provide one example of an MX record for a public host that doesn't have a period in its name?



  • Bleh, brain not working, for the above post, replace 'encrypted' with 'hashed'.



  • @locallunatic said:

    @blakeyrat said:

    @Sutherlands said:
    If you validate it anyway other than checking for [@.*]
    You failed. The period isn't required.

    If you are validating using something like that then having the period is part of the point.  It's to catch people doing: myname@myispcom instead of myname@myisp.com, not to actually see if the address is technically valid.

    You either follow the standard or you don't. There's no difference between implementing the validation as if it requires a period and implementing it to allow only uppercase characters and no punctuation. Both are equally wrong.

    There's no point to even having standards if people pick and choose which only the bits they like.



  • @blakeyrat said:

    You either follow the standard or you don't.
     

    Bunk. What you do is you build your software to match how it's expected to be used. And people have emails of the form @.*. So that's that.

    There's no point to having standards if they don't cater to what's actually being used in practical situations.

    I'm susprised to see such a departure from your usual human-centric arguments, Blakeyman!



  • @Zadkiel said:

    Bleh, brain not working, for the above post, replace 'encrypted' with 'hashed'.
    I don't see why it can't be stored hashed.

    Given such a small input it would be almost laughable to build rainbow table, but there can still be a hash involved.



  • @Shoreline said:

    passwords are hashed into a 32-character string

    What? You're using hex MD5?

    Or are you a weirdo who uses SHA256 instead of something actually secure like bcrypt?



  • @garrywong said:

    What's worse though are those sites that simply cut-off your password at a random length and never tell you, and then you wonder why your password doesn't work.

    Or sites where the password entry form and the back end disagree on maximum password length, where using the maximum password length allowed by the entry form makes the application die horribly.



  • @Faxmachinen said:

    I've also come across a system that doesn't hash/store passwords with spaces correctly, but neglects to tell you this.

    I see that fairly often on shitty wifi routers. If you have a router that makes an XML file when you ask it to back up its settings, there's a good chance you won't be able to connect if you pick a WPA2 pre-shared key containing spaces.



  • @locallunatic said:

    The real hard part comes when the customer is writing the spec (contract work) and specifically asks for this.  It's one of the things you can recommend they don't do, but nothing you can do if they insist (if you are at a contract work shop rather than doing it personally anyway).

    Yes there is. You make it so there's a screen that lets you "read back the password" and what it actually does is change the password to the 12-16 character string of random symbols that's just appeared on that screen. Then you keep marking all bug reports complaining about this behaviour as RESOLVED FIXED.



  • @flabdablet said:

    @Faxmachinen said:
    I've also come across a system that doesn't hash/store passwords with spaces correctly, but neglects to tell you this.

    I see that fairly often on shitty wifi routers. If you have a router that makes an XML file when you ask it to back up its settings, there's a good chance you won't be able to connect if you pick a WPA2 pre-shared key containing spaces.

    I've dealt with routers where some drivers connect with a space and other drivers will only connect if you replace the spaces with underscores.



  • @boomzilla said:

    I've dealt with routers where some drivers connect with a space and other drivers will only connect if you replace the spaces with underscores.

    Getting fed up with that kind of craziness is why every wifi router I've set up for a very long time now has pre-shared keys consisting of five groups of five lowercase letters got from random.org separated by dots. These have enough entropy to be secure, are easy to write down, easy to enter on Android devices, only moderately annoying on Apple ones (why does the Apple password entry keyboard not have an unshifted dot key?) and I have yet to encounter a router they don't work for.



  • @PJH said:

    @blakeyrat said:
    @Sutherlands said:
    If you validate it anyway other than checking for [@.*]

    You failed. The period isn't required.

    Would you like to provide one example of an MX record for a public host that doesn't have a period in its name?



  •  What pisses me off is MINIMUM password lengths.  I'd fucking PAY to be able to have my Twitter and Gmail passwords be "".  Just type in your username and hit ENTER.  That's how I have all my Linux systems configured at home, and I'd have Windows Server configured to do that too, if one of its users wasn't "security conscious" and would flip his shit if he knew the Administrator password was blank.  Oh well, I've got the credentials for that one saved in my laptop.



  • @flabdablet said:

    @locallunatic said:
    The real hard part comes when the customer is writing the spec (contract work) and specifically asks for this.  It's one of the things you can recommend they don't do, but nothing you can do if they insist (if you are at a contract work shop rather than doing it personally anyway).

    Yes there is. You make it so there's a screen that lets you "read back the password" and what it actually does is change the password to the 12-16 character string of random symbols that's just appeared on that screen. Then you keep marking all bug reports complaining about this behaviour as RESOLVED FIXED.

    Unfortunately my marking the bug reports that way got escalated to "do EXACTALLY what we asked for or we aren't paying".  Only so much fighting I'm willing to do for the customer's users (it wasn't a system that our customer's customers would have accounts on).



  • @locallunatic said:

    @flabdablet said:

    @locallunatic said:
    The real hard part comes when the customer is writing the spec (contract work) and specifically asks for this.  It's one of the things you can recommend they don't do, but nothing you can do if they insist (if you are at a contract work shop rather than doing it personally anyway).

    Yes there is. You make it so there's a screen that lets you "read back the password" and what it actually does is change the password to the 12-16 character string of random symbols that's just appeared on that screen. Then you keep marking all bug reports complaining about this behaviour as RESOLVED FIXED.

    Unfortunately my marking the bug reports that way got escalated to "do EXACTALLY what we asked for or we aren't paying".  Only so much fighting I'm willing to do for the customer's users (it wasn't a system that our customer's customers would have accounts on).

    What you should do is put a giant notice at the top of the login/registration pages that tells users how insecure the system is and who they should contact to get it fixed.

Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.