For most, password restrictions are an annoyance that prevents them from using easy to remember passwords, like “password” or “123456”. You can generally tell how a company handles your private information, and I’ll teach you a few tricks on determining which sites potentially store your password insecurely.
Smart Password Complexity Requirements
(none of these should be taken to indicate an insecure storage methodology)
- Minimum character limits (for example, your password must contain at least 8 characters)
- You must use numbers/uppercase/lowercase/symbols
- You cannot use a dictionary word
- You cannot use your name/username/email/other identifier in your password
Stupid Password Complexity Requirements
(it is probable that sites with these requirements are storing your password wrong)
- Disallowing -any- symbol, be it dollar sign, comma, quotes/double quotes, hashes, less than/greater than, ampersand, and so on
- Mentioning any upper limit to the length of your password (maximum 10 characters) *
- Odd requirements, for example, requiring your password start or end with certain characters (letters, numbers) or prohibiting the ends of passwords from having specific characters.
*- There are functional limitations here, like the maximum POST size practical in a browser, yes, but if you can’t use a 100 character password, this is a problem.
What is a Password Hash?
There’s a separate blog post for that wee lil’ question:
In short, companies that care, use hashing for your passwords.
So you’re calling a company dumb, why?
Properly hashed data will return a relatively short hash from any sized input data — this is important to know, as it highlights exactly why having a maximum password length is a bad thing — it is a clear sign they’re storing your password in a really stupid way, or their devs are stupid. Either way, means bad security for you.
Now I love Southwest Airlines — a lot, I love flying with them I love their attendants, and none of their pilots have killed me. What else can you expect?
Well, I’d expect a certain level of hashing on my passwords:
@SouthwestAir Why does your login form require that passwords begin with a letter? Properly hashed passwords never have these requirements.
— Bob Lerner (@rlerne) July 9, 2018
Their reply wasn’t what I wanted. Basically reiterating the limitations of the form. It should be noted that this does not mean they’re vulnerable or are storing your passwords wrong, but it does make a pretty solid case that it’s possible.
Another company I used a very long time ago was TCF Bank. Now I know what you’re thinking — lmao, TCF. Yeah, their bill pay was garbage, their online banking from the 90’s, etc. I can’t speak for the interface now, but one thing that stuck out to me was the password length limit.
I’m done calling companies out now…
…Mostly because I don’t have more examples from the top of my head. When you see stupid password policies in place, it is generally in place because of a poorly configured WAF, or poorly built site. They are worried you’ll pass variables or SQL injections into their software so they filter the characters you use. Properly hashed passwords are completely inert — they are made up of hexadecimal letters without spaces, they will not execute as code.
Oh — One more thing, password resets:
If you reset your password and you get an e-mail back with your password, then they are clearly storing it WRONG. Change all of your passwords (except this site) and stop using it immediately. Close your account if possible. This site, once breached, will present no difficulty to anybody wanting your password.
Finally: Security questions suck really bad. Tell me what your favorite flavor of ice cream is in the comments!