Wednesday, May 1, 2013

Companies on why they limit passwords (hint: because they suck)

I just came across a post on Ars Technica where they asked companies why they limit their users' passwords (in length and/or allowed characters), making the passwords less secure. The responses where pretty much the same from everyone and one commenter really captured the essence of the different responses. Schpyder wrote:
Schwab: "No comment."
MS: "Not a concern. Also, look over there!"
Evernote: "Here is a rational, reasoned approach behind our password requirements and limitations."
AT&T: "We don't want to give our customers the option to do something that some of them might not like."
It's almost an accurate summary. I do actually take issue with Evernote's response being rational and reasoned. They stated that they do not allow spaces in passwords because spaces in the beginning and end of a password may get trimmed and so they would need to create a validation which only allows spaces in the middle. This filter would be too much work for too little gain.

This is not a rational and reasoned approach to password management if you value security for your users. Why would you trim the password? I see no reason to remove spaces, or anything for that matter, from passwords. Just hash them as they are. Passwords should be hashed as soon as possible. The more passwords are passed around in plaintext in the code, the higher the risk. We do a hashing of the password before it is even sent to our server.

There is absolutely no reason to limit which characters are allowed in a password. Whatever stuff you type in your passwords, it should be hashed, which means that all characters become alphanumeric (base64 encoded) in most cases (with some exceptions, like bcrypt which uses $ for some field separation). So it doesn't matter if the password contains special characters or not unless your code is passing around the plaintext, unhashed password in various data structures (like JSON). This would require some parsing and transformation of the password so it doesn't mess up the structure. But you should never, ever, ever do that. Hash the password, then send the hash around instead.

Apparently these companies, Evernote included, along with a lot of other companies, are just to lazy or incompetent to handle the passwords of their own users. If you read this, make you don't do the same mistakes. Work with hashes, not plaintext passwords.

Oh, and always use good hashing + salt. SHA is bad and MD5 is even worse. Also, make sure to have one of of the salts outside the database. Just in case an attacker gains access to the database (which is far more common than access to the filesystem).