Why are we still limiting password characters?

It’s 2013 – why are web sites and companies forcing us into archaic password management structures?

At my institution, we recently updated our purchasing card reporting system, run by a major, major big time bank. You would think that they would take password security very seriously, especially given the nature of this site and the type of information stored within it. You’d be wrong.

When I was setting up my account in this system, imagine my surprise to find this as the requirements for a password on the new platform.

Screen Shot 2013-06-17 at 9.40.52 AM

So let me get this right – between 6 and 8 characters, and no special characters? They’re either storing their passwords in plain text or they have some ancient legacy systems they don’t want to spend the money on to update.

In today’s age of GPU’s that can crack billions of passwords in minutes, there is no reason whatsoever to limit what characters are used as a password. These sites should be automatically hashing the passwords anyway, preferably using a slow hashing format like bcrypt.

I worry about password security, and feel good when a site or software I use takes it seriously. Take a look at WordPress, a platform I use every day, it uses the PHPass framework, which uses bcrypt, as the default setup in WordPress.

The only way I’d feel slightly better about this type of password rules is if a site also required a two-factor authentication, either with an app like Google Authenticator, a text message with a 1-use code, or some sort of keygen device. I wrote about using Google’s product in conjunction with WordPress a few months ago.

2 thoughts on “Why are we still limiting password characters?”

  1. Oh man, nothing pisses me off more than running into this. I’ve seen it with at least 2 banks. Complained via email, heard nothing.

    I wish Steve Gibson or someone else would set up a public shaming list to point out these kind of bad practices, especially among financial institutions.

  2. I’m a big fan of the random word string passwords. We’ve trained our culture to think like computers for passwords now computers can out think us. So we should switch back to thinking like humans.

    I like the XKCD password concept http://preshing.com/20110811/xkcd-password-generator

    Though there would still be some restriction like length. Until we find a better login solution like a web version of Microsoft’s image gesture unlock or a Google two step passwords variations and restrictions are going to haunt us.

Comments are closed.