Why do so many sites demand short passwords?

[pmv]

Why do quite a few high-profile companies (including financially sensitive ones) refuse to let you use long passwords? E.g. some complain if a password is more than 8 or 12 characters.

I'm puzzled what the reason is for this arbitrary limit. Not only does it make passwords more vulnerable to brute-force cracking (I read one company arguing that such cracking wasn't the main vulnerability of passwords so it didn't matter, because phishing was the main problem) but it also makes passwords harder to remember because you can't use long lists of words that actually mean something to you, you are forced to use strings of random characters in order to avoid using single words that are clearly going to be vulnerable to dictionary-based guessing.

It just seems such an arbitrary restriction, as if it were still the 1980s where every byte of storage was precious.

Is there some real technical reason for it? Presumably there must be because so many sites do it.

 

[Chiefcrowe]

I think they just don't want to update their old systems. I guess in some databases, there could be issues using special chars in passwords, but not sure.

 

[pcunite]

To make you feel better, brute-force cracking is not a problem. Why? Because they won't allow a remote connection to their web server to try 100,000+ attempts.

 

[lxskllr]

To make you feel better, brute-force cracking is not a problem. Why? Because they won't allow a remote connection to their web server to try 100,000+ attempts.

The problem is getting the whole database, and cracking them at their leisure. There's no good excuse for short and restrictive passwords. Any company using them is negligent AFAIC

 

[John Connor]

Can't say I ever ran into a web site that wanted short passwords. Comcast, SiriusXM, Yahoo, Ebay, Paypal and my bank all take long passwords.

 

[lxskllr]

Can't say I ever ran into a web site that wanted short passwords. Comcast, SiriusXM, Yahoo, Ebay, Paypal and my bank all take long passwords.

There was an article on Ars about it, but I couldn't find it when I saw this thread. There's a lot of ridiculous restrictions, and that's largely why I use a password manager now. I had fairly secure methods of creating passwords, but they violated a lot of site's policies. I'd end up with something close to my memorable system, but different. And different might as well be random for the chance I have of remembering it.

 

[readymix]

"Why do quite a few high-profile companies (including financially sensitive ones) refuse to let you use long passwords? E.g. some complain if a password is more than 8 or 12 characters."



some sites yea. the few I am familiar with lock out access after just a few incorrect entries. not just consecutive incorrect entries but over a period of time too. fewer still do that and also delete your online account and force you to re-register.

 

[pmv]

"Why do quite a few high-profile companies (including financially sensitive ones) refuse to let you use long passwords? E.g. some complain if a password is more than 8 or 12 characters."



some sites yea. the few I am familiar with lock out access after just a few incorrect entries. not just consecutive incorrect entries but over a period of time too. fewer still do that and also delete your online account and force you to re-register.

Its actually less the danger of brute-force hacking that bothers me than the irritation of not being able to use longer passwords that are easier to remember. That and sites that don't tell you the limitations till you've already tried to use a password that doesn't meet them. It just seems unnecessary as if they are doing it purely to be annoying

 

[wirednuts]

i like 20 character passwords, but i find almost NO sites i use allow them that long. most are 8 max, and if im lucky its 12.

but i find it even worse when they wont even tell you what the max is. "please enter a secure password" and you do, and it says "OK", but what it didnt tell you is it cut your password down to 12 and accepted it.

you go to login later and your 20character password doesnt work. PISSES ME OFF.

 

[John Connor]

https://pip.verisignlabs.com/

 

[PrincessFrosty]

Well...it depends what encryption you use for storing the passwords.

You can theoretically use short passwords if you have an encryption method that's deliberately very computationally expensive to execute.

Just as an example WPA/WPA2 wifi passwords are hashed with HMAC-SHA1 4096 times, which means to brute force them is hard.

It's possible (and I'm speculating here) that some very secure services are using custom password hashing systems which could be doing something similar to this, it would make brute forcing their passwords very hard even if you grabbed their database of hashes and did the cracking offline.

If I was personally running a bank or something like that, I'd have a custom hashing algorithm written which iterates something secure like SHA1 maybe a million times, or N times where N is base on the date the password was picked (so strength increase over time, like hardware does). All passwords would be salted with a random salt.

Problem with brute forcing password systems today is that password encryption is piggybacking of encryption that was designed to be very fast to use so on the fly encryption/decryption wasn't computationally expensive. You want password encryption to be the opposite so that brute force attacks take an arbitrarily high amount of computing power to do.

Do some sites actually use this? I dunno, only they know, but it's plausible and it's what I'd do for best security. So you can't always assume small password spaces are insecure, although I suspect many of them are.

 

[SecurityTheatre]

Well...it depends what encryption you use for storing the passwords.

You can theoretically use short passwords if you have an encryption method that's deliberately very computationally expensive to execute.

Just as an example WPA/WPA2 wifi passwords are hashed with HMAC-SHA1 4096 times, which means to brute force them is hard.

No.

short passwords are bad. By making something several orders of magnitude, then you've reduced your length required for each password by one digit.

You can still crack 115,000 WPA hashes per second with a good GPU. A solid 10 million word dictionary falls in just about a minute, everything under 8 characters is easily brute-forced.

Just because it's not as completely braindead as LanManager hashes doesn't make it strong.

It's possible (and I'm speculating here) that some very secure services are using custom password hashing systems which could be doing something similar to this, it would make brute forcing their passwords very hard even if you grabbed their database of hashes and did the cracking offline.

If I was personally running a bank or something like that, I'd have a custom hashing algorithm written which iterates something secure like SHA1 maybe a million times, or N times where N is base on the date the password was picked (so strength increase over time, like hardware does). All passwords would be salted with a random salt.

Having done security work with banks, power companies, etc... many of them are still holding their account data in old IBM System-Z mainframes, or older.

I've personally viewed the code of software written in FORTRAN to access user accounts from within this system and build SAML tokens for integrating with web authentication.

Blah...

 

[PrincessFrosty]

No.

short passwords are bad. By making something several orders of magnitude, then you've reduced your length required for each password by one digit.

You can still crack 115,000 WPA hashes per second with a good GPU. A solid 10 million word dictionary falls in just about a minute, everything under 8 characters is easily brute-forced.

Just because it's not as completely braindead as LanManager hashes doesn't make it strong.

The general point I'm making is that by picking longer passwords users are creating a larger possible keyspace which increases cracking time to brute force, but you can make that cracking time longer by simply making the encryption per password take more computational effort.

WPA was an example of this in practice, I suggested something more aggressive than 4,096 iterations, I picked 1 million off the top of my head as an example, but ideally it would be dynamic, it would change over time because hardware gets faster over time, I'm sure when WPA was invented 4096 seemed like enough but these days it's not.

In my opinion It's not a very elegant solution to expect users to do something of their own accord to increase their security because they're the worst people to rely on when it comes to security. In an ideal world the security of users wouldn't be so dependent on user behavior but rather be more uniform. Ideally we want a password system where all passwords (inside some sensible range) are approximately equally hard to brute force.

If I was building a password system it would say "OK you've picked a password of complexity N, so I'll hash it [(1000/N)*(date factor)] times"

As the complexity decreases the number of times you hash it increases. Increase that multiple over time to account for hardware speed growth. Then store that number in the DB next to the hashed password. A weak password of 6 characters might generate a hash iteration of 5,000,000 where as a strong one of 20 characters might generate a hash iteration of only 10

Now when people come to brute force the easy password the keyspace is suddenly 5 million times harder per guess. That's kinda rough, but you get the idea, the maths would need to be fine tuned to balance.

The only downside is additional processing by servers to process requests by users, but generally speaking what takes seconds per guess for a user is fine, but for a cracker is a nightmare.