Dear assorted banking institutions, specifically those with online banking.
Please stop putting absurd restrictions on password length or permitted characters.
Recently, I changed banks, from who to who will remain private, but suffice it to say that I have now experienced three separate banking websites.
In each case, the password length was restricted to less than 10 characters, and only permitted alphanumeric characters, in other words, a-z, A-Z, and 0-9.
One particularly bad case, the password was limited to 7 alphanumeric characters, with a minimum of 5.
There is absolutely no logical reason to limit character limit, or the character set for that matter.
Allow me to explain. When a password is stored, any security professional on the planet will tell you to hash your passwords. This means a one-way encryption, that can be checked against your input, so that even if the database was exposed, the passwords would be secure.
Any hash can take any length of input, and return the same length of hash. For example, if I use the MD5 hash on the phrase "The quick brown fox jumped over the lazy dog," or "A," the returned length will always be 32. So, space is no reason not to allow long passwords.
All hashes take the input and return a fixed-length output using only 16 characters, 0-9 and A-F. So, if all input, no matter what it is, is returned in a fixed-length string made of predictable characters, there is no reason to reject any character as input, or to be overly cautious, allow every character on the US keyboard.
Why is this so important?
Well, if we know that there is a maximum length of 7, a minimum length of 5, and made of a specific character set (a-z, A-Z, and 0-9), a brute-force attack just became very, very simple.
Granted, these websites have a set number of tries before the system locks up, but this can be possibly circumvented. What if a rogue employee with no such restriction were to launch the attack? What if some exploit were to bypass the lock down? What if the password table were somehow dumped or leaked? All the passwords would be very, very vulnerable.
Ok, lets give the bank the benefit of the doubt, and say they use the Whirlpool hash, arguably one of the strongest, and they use a very nice salt, which is always a good practice.
Well, if the lock down were circumvented by a local employee or hacker, these safe guards would be useless, but for the sake of argument, lets say just the password hash table was dumped.
Well, the salt is not difficult to find, just try a handful of common passwords, and crack the salt. Bingo, we have salt.
Now, its just a matter of running a very simple brute force attack against the theoretical table, and with a character set so small, and such a defined size, every single password could be cracked on an average laptop in less than 5 days.
So, I implore all of the banking institutions to ease the needless restrictions on password length and characters.
Please stop putting absurd restrictions on password length or permitted characters.
Recently, I changed banks, from who to who will remain private, but suffice it to say that I have now experienced three separate banking websites.
In each case, the password length was restricted to less than 10 characters, and only permitted alphanumeric characters, in other words, a-z, A-Z, and 0-9.
One particularly bad case, the password was limited to 7 alphanumeric characters, with a minimum of 5.
There is absolutely no logical reason to limit character limit, or the character set for that matter.
Allow me to explain. When a password is stored, any security professional on the planet will tell you to hash your passwords. This means a one-way encryption, that can be checked against your input, so that even if the database was exposed, the passwords would be secure.
Any hash can take any length of input, and return the same length of hash. For example, if I use the MD5 hash on the phrase "The quick brown fox jumped over the lazy dog," or "A," the returned length will always be 32. So, space is no reason not to allow long passwords.
All hashes take the input and return a fixed-length output using only 16 characters, 0-9 and A-F. So, if all input, no matter what it is, is returned in a fixed-length string made of predictable characters, there is no reason to reject any character as input, or to be overly cautious, allow every character on the US keyboard.
Why is this so important?
Well, if we know that there is a maximum length of 7, a minimum length of 5, and made of a specific character set (a-z, A-Z, and 0-9), a brute-force attack just became very, very simple.
Granted, these websites have a set number of tries before the system locks up, but this can be possibly circumvented. What if a rogue employee with no such restriction were to launch the attack? What if some exploit were to bypass the lock down? What if the password table were somehow dumped or leaked? All the passwords would be very, very vulnerable.
Ok, lets give the bank the benefit of the doubt, and say they use the Whirlpool hash, arguably one of the strongest, and they use a very nice salt, which is always a good practice.
Well, if the lock down were circumvented by a local employee or hacker, these safe guards would be useless, but for the sake of argument, lets say just the password hash table was dumped.
Well, the salt is not difficult to find, just try a handful of common passwords, and crack the salt. Bingo, we have salt.
Now, its just a matter of running a very simple brute force attack against the theoretical table, and with a character set so small, and such a defined size, every single password could be cracked on an average laptop in less than 5 days.
So, I implore all of the banking institutions to ease the needless restrictions on password length and characters.