Password Limitations May Mean Your Password is Unsafe ~ D. Patrick Caldwell on Software Engineering

Friday, February 27, 2009

Password Limitations May Mean Your Password is Unsafe

I wrote a post a while back complaining about the lack of security provided by websites which claim to be secure. A few days ago, my griped because the website for his bank won't allow him enough characters to use his standard high-security level password (you know, the one reserved for financial websites, SQL Server sysadmin, trucrypt, or your personal certificates).

I said, "that really sucks man. Now anybody who has access to that database can look at your password and therefore knows the password for your other accounts." He looked incredulous for a minute, started to ask why, and came to the same realization I had. The only really good reason to limit the length of your password (or the valid character set for that matter), would be if you're storing passwords in plain text. The only good reason to say, "your password cannot be longer than 12 characters" is if the password field in your user table is only 12 characters.

In our applications, you can have any length password and it can include any character that can be transmitted via HTTP post. Why don't we care what you use for a password? Well, that's because our data field is going to be a CHAR(32) or a CHAR(40) and no matter what you send us, we're just gonna salt it, hash it, and store it. There's no need disallow special characters (like ! or # which aren't even all that special) and there's no reason to limit the length of the password.

So, if some website wants you to limit your password (obviously I'm not talking about limiting passwords that are too short or are easily subjected to attack), then there's a good chance that they're storing your password in plain text and you would be fair and just in being upset about it.
I really appreciate comments so please feel free to comment on my posts. Whether you agree or disagree, I'd love to hear from you. Also, feel free to link back to your own blog in your comments. You can even subscribe to an RSS feed of the comments on this thread.

© 2008 — , D. Patrick Caldwell, President, Autopilot Consulting, LLC

3 comments:

  1. In following up on your comment on my blog, I totally agree with you. I myself am a programmer who always tries to give his users as much flexibility with their passwords without limiting them too much.

    I don't know why alot of software out there these days stores your passwords as plain text or disallow the use of special characters, but in an effort to increase people's security online you'd think they'd make a better effort to do so.

    Great post, I've bookmarked your blog, its really great.

    ReplyDelete
  2. Thanks a lot. I've been following yours as well.

    ReplyDelete
  3. Thanks for the encouraging comment on my blog article. I thought your post was very informative as I'm not a programmer but you were still able to break down why a limit on the password indicates the password's stored in plain text.

    ReplyDelete