Screens around the web: password restrictions

By Diwaker Gupta | Published: December 2nd, 2007

I wrote earlier about how several high profile web sites ensure that their users can NOT have strong passwords. Here are a few screen shots to prove my point:

Chase

Chase

AT&T

ATT

American Express

American Express

American Funds

American Funds

Note that all these web sites provide financial services, and are the most dangerous to users if their accounts get hacked. Account access would in most cases make available to the hacker other personal details like credit card numbers and SSN. Some one please, PLEASE explain to me the logic behind such restrictions as putting a silly upper limit on password length (8??!! WTF!!!), and disallowing special characters. It's retarded.

  1. Secure passwords: the other side of the story
  2. Confused
  3. Interesting Google links
  4. What makes a 100%?
  5. Web based password manager
This entry was posted in Uncategorized and tagged , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

6 Comments

  1. Odi
    Posted December 3rd, 2007 at 1:02 am | Permalink

    The HTTP Basic authentication scheme reserves the colon character to separate username from password. Thus a colon must not be used in the username or password. (If you know the implementation of the Basic scheme parser [indexOf(':') or lastIndexOf(':') ?], you MAY allow it in either username or password…)

    Reply
  2. Ian Holsman
    Posted December 5th, 2007 at 3:17 pm | Permalink

    I’m guessing some systems have a restriction like the above so that you can use the same password on a phone with a IVR?

    but yeah.. it’s kinda silly

    Reply
  3. Diwaker Gupta
    Posted December 13th, 2007 at 9:09 pm | Permalink

    *@ian*: hmm, thats a good point. But still, I don’t think it quite justifies the abysmal rules. Meanwhile, have you see myvidoop.com? Quite an interesting approach to the whole password management problem.

    Reply
  4. Diwaker Gupta
    Posted December 13th, 2007 at 9:11 pm | Permalink

    *@odi*: So? Their software should be smart enough to escape problematic characters. In any case, no one who is serious about security would ever use HTTP Basic authentication — it is just what it says, BASIC. All of the web sites I mentioned go over HTTPS, and authentication is handled at the application layer.

    Reply
  5. Chris X Edwards
    Posted February 14th, 2008 at 3:25 pm | Permalink

    Reminds me of these 2WIRE routers (i.e. EESID shows up as ###2WIRE all over town) that are set with a default password of exactly 10 numeric bytes. You can do the math… or, this is fun if perhaps somewhat spurious:
    http://www.hackosis.com/projects/bfcalc/bfcalc.php

    Reply
  6. Erik
    Posted April 16th, 2008 at 11:37 pm | Permalink

    I agree completely. American Express’s restrictions in particular seem to be designed for ease of brute-forcing. There are a total of 2,684,372,063,360 possible passwords one can use with those restrictions, and I’m sure a dictionary attack program could crack the majority of their customers’ passwords in a few minutes each. Makes me want to cancel my account…

    Reply

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>