13

Registering on an insurance company's website right now, and my password is 16 characters long, using a nice variety of letters, numbers, special characters, etc. However, here's their list of restrictions:

Note your password:

  • must be between 6 and 12 characters
  • must not contain spaces, special/international characters
  • must not contain your user name, first name or last name
  • is case-sensitive
  • should contain at least 1 number and 1 letter

I can understand minimum 6 characters, not allowing parts of your name, being case-sensitive, and needing at least 1 number and letter. The part I don't get is restricting your choice of characters you can use, and having an upper bound.

Why do websites do this? The only thing I can think of it they don't know the basics of hashing a password, which would secure it better than anything, and get rid of any security concerns.

If I choose to type DELETE FROM users WHERE 1=1 as my password, I should be allowed to. PHP's MD5 hash of it becomes fe5d54132b51b7d65ab89b739b600b4b which I don't think will harm anything.

Tarka
  • 1,588

6 Answers6

18

It comes down to their programmers (or their management) being lazy and/or uneducated. It doesn't take that much more work to make your system accept any characters, but it means you need to spend some time thinking about SQL injection attacks, cross site scripting, making sure that all parts of the system are able to deal with it, etc. It can be cheaper and quicker just to forbid any characters that could be a problem.

KeithB
  • 1,235
10

Usually the restrictions on "extended characters" are because the management in bank programming groups used to be COBOL programmers, and know that Character Sets Are Hard.

3

Banks restrict the special characters, probably because they are storing the passwords in plain text, which they shouldn't be doing, and they are afraid some special characters will leak into their business logic and hack it.

As to the limit of number of characters, I can only speculate that software on some of the mainframes they still use cannot handle text fields larger than that.

Robert Harvey
  • 200,592
2

I can understand prohibiting special characters, but there is no excuse for password length limits. I use a password manager and like to use ridiculously long passwords. Since I don't have to remember them or type them, why not?

I can think of only one reason why a site might limit password length. The people who run the site are afraid that if they let their users use really good passwords, they will forget them more frequently and they will have to field a couple more support calls or emails. It's a very lame excuse, but it's the only possible reason for such a stupid policy that I can come up with.

raven
  • 121
1

This decision seems to be based around what is practical for most users. Unlike programmers and techies, many users of online banking seem to have difficulty remembering a 4 character pin, let alone a password of decent length. Which is one of the drivers for 2-factor authentication - give them a device which produces a password so all they need to do is not lose the device!

With respect to the "why no special characters" - it isn't laziness, it's a sensible decision on reducing the potential attack landscape. If you allow apostrophes, hashes, equals signs etc, you need to be 100% confident your input validation routine will catch SQL injection attempts for example - if you whitelist only those chars you want to appear in the input, you save yourself a whole lot of potential damage.

I agree in principle with Matteo - in an ideal world passwords should only be stored with a 1 way hash, however a bank would lose customers if they did this, so there has to be a way. Often, in addition to the hashes stored in the main database, there is an encrypted field, either in the same database, or in a separate passwords database just for this function

Rory Alsop
  • 326
-1

Not that I agree with the password restriction in this case, but generally allowing full set of unicode characters for password might introduce some problems. E.g. if the system allows retrieving password via email through some validation mechanism, the password might not get rendered properly in the email client due to lack of unicode support.

As for why spaces and other special characters are no allowed, e.g. in the password retrieval email:

Your password is :actually something else, not this one

Ermm... confusing yea?

vs

Your password is ActuallySomethingElseNotThis1

o.k.w
  • 885