

Stop restricting my password - Help these sites get better security. - dinkumator
http://www.weakpasswords.org/

======
staunch
I was thinking of creating a list like this of all the sites that (most
likely) store passwords as plain text. I'd get the list by doing a password
reminder and seeing if they email me my password.

Would be cool if that was added as a column here. I'd submit some sites.

~~~
swombat
_I'd get the list by doing a password reminder and seeing if they email me my
password._

That will tell you whether they send the password in clear, not whether they
encrypt it. The only information you'll have is:

IF (they send you the password in clear) THEN (they don't use a one-way hash)

There is no other information to be derived from this method of checking.

~~~
Quarrelsome
But if they use a two way hash and the server is compromised one would presume
the mechanism for un-hashing the passwords would also be compromised meaning
it is almost as bad?

(? as my knowledge on security is somewhat limited)

~~~
geocar
The word here is "encrypt" or "cipher" not "hash":

> But if they use a two way cipher and the server is compromised one would
> presume the mechanism for un-encrypting [decrypting] the passwords would
> also be compromised meaning it is almost as bad?

It might be. It is conceivable that a site may use public key cryptography and
store encrypted passwords, but have password recovery done on an independent
system which has the decryption key.

(For our purposes, a "reset question" might also be considered a password
because it is still something "you know" and to be differentiated from an
email address which would be something "you have")

~~~
CWuestefeld
I'd give an admonishment to anyone who uses a password question from the
standard set (mother's maiden name, etc.), even if it is hashed, because the
data is so easily discoverable.

Nevertheless, the idea of a password question is so useful that I still
support it on my sites. But our implementation is open-ended: you define your
own question as well as its answer. I think this is better for anyone who is
security conscious, but unfortunately it still allows the lazy or ignorant to
be insecure.

~~~
samgrover
I prefer defining my own qesution and answer.

However, a mechanism for sites that use the standard questions is to
manufacture a set of fictitious names and use those everywhere. e.g. Father's
name - "Keyser Soze". First car make and model, "Millennium Falcon", etc.

There is the overhead of remembering these but that is not too hard with some
thought and repeated use.

------
dkokelley
One example of extreme login security that I've seen is with
treasurydirect.gov. Password: min 8 char, 1 letter, 1 number, 1 special.
Mailed key card: 7 x 5 alpha numeric grid with a random 3 char series ((A2,
G5, F5) for example), 1 out of 3 sets of 10 digit numbers on your key card, 3
security questions on unrecognised computers (out of around 10 - you must
remember which 3 questions you set and answer them appropriately), and to top
it all off, no keyboard entry - you have a randomly ordered soft keyboard that
must be clicked for all password and keycard entries.

Personally, I think it's overkill, but I'll admit that I wouldn't envy anybody
tasked with getting someone's account.

~~~
a-priori
Ever had a bank account in Switzerland? Swiss Post uses two-factor
authentication with challenge-response for online logins.

First you enter a password, and you get a challenge code back. You insert your
card into a device they send you, then enter the pin and the code. The device
displays a response code that you enter into the website.

~~~
dkokelley
That's pretty good. My bank has something like that for their online data
storage, except instead of a device that will give me the code (I could get
that for $25 they say), they send me a sms with the code after I enter my
password.

------
kogir
Charles Schwab takes long password but truncates them at 8 characters without
telling you. I discovered this the hard way by trial and error when linking it
in Quicken.

~~~
jedbrown
Sounds like a credit union I used to use that restricts the charset, is
silently case-insensitive, and emails you _your_ password if you go through
the lost password dialog (it had been upcased). I sent them a letter chewing
them out for this joke of security (about a year ago), and they still haven't
changed anything.

------
DanielStraight
I like the idea. I think it would be nice to also include sites that store
passwords in plain text. I always email sites if they send me my password in
plain text. Half the time they reply and say it's not really so bad. Half the
time they reply and clearly don't understand why I would even care. I've yet
to see anyone admit that it's a problem. If we get could get that solved, that
would really be nice.

~~~
jedbrown
I do this too. The typical response is that they are forwarding my concern to
their technical department, and I hear nothing further, and the issue never
gets resolved.

------
TheKid
ING's isn't a password it's a PIN number. That's why you can't use any letters
or special characters.

~~~
garethm
That is kind of true - ING do call it a PIN. The thing is that all I can do
with the PIN is to log on to their online banking site. That makes it a
password in my opinion.

If I want to use my card at an ATM say, they require me to use a different
PIN.

~~~
pmjordan
And the penalty for typing in the wrong PIN at an ATM is presumably a lot
higher than providing the wrong PIN on their website, which means the
feasibility of a brute force attack (which is what password complexity is all
about) is entirely different.

~~~
ldite
No; 3 incorrect PIN entries on their website locks you out, and you have to
get a reset. DoS of other people is made harder by also needing a customer
number to login.

------
icefox
I believe that the logic behind ING direct is that by requiring you to use a
mouse to click out your password it prevents key sniffers. And they show you a
keypad being a bank.

~~~
garethm
There are banks that do this, but provide you with the full alphabet, as well
as the numbers. The other banks that I've come across with this style also
don't have a maximum password length. I believe that doing this would be an
improvement - it gives you far more combinations.

------
dinkumator
There's really no point in restricting length or non-alphanumeric characters.
They should be storing a salted hash, not the actual passwords, so the content
of the password shouldn't matter.

It's really just laziness and incomptence on the part of the programmers.

~~~
derwiki
The argument I once heard for restricting length of a password (and possibly
special characters) is that it would be harder to craft a buffer overflow (or
SQL injection attack) with those limitations. I don't agree that this is a
good solution, but it's not always good programmers/managers who are making
these decisions. It at least sounds plausible.

~~~
jfarmer
Hmm? The hash will be a fixed length, which is the only thing you'd be
storing.

~~~
branden
In order to get that hash you'd have to process the password in its entirety.
But really, if they're that concerned about the buffer I see no reason to cap
it at 8 or 10 rather than 1000.

~~~
jfarmer
Eh. That seems unlikely, assuming you're not writing your own routines. At
most you'd get an out of memory error. I can calculate the SHA1 digest of a
1Bn character string without running into that problem.

So let's cap the length at 100k characters and call it a day.

------
kylec

        Google, MSN, Facebook, Twitter - They all already allow
        you to use anything you want for your password.
    

This is not strictly true - while Google et al might have a large set of
permitted characters, there are nearly always restrictions on length. Google,
for example, requires that their passwords be at least 8 characters long.
While a long password does reduce brute-force attacks and shoulder-surfing, it
nevertheless is a restriction.

~~~
wvenable
Requiring long passwords is a restriction that leads to a more secure
password. This site (it's called weakpasswords) is about restrictions that
make your password less secure.

The site for my credit card requires a password that is no _more_ than 6
characters -- talk about insecure.

~~~
EricBurnett
_The site for my credit card requires a password that is no more than 6
characters -- talk about insecure._

Not necessarily. Oftentimes banks will set a hard limit on the number of
unsuccessful attempts you can make before they lock you out entirely. Then you
have to phone them and jump through a number of hoops to prove you are who you
say you are, and then reset the password. If they do a really good job
preventing brute-forcing, then having an un-brute-forceable password is not
necessary any more.

The easiest example of this is debit card PINs. They are usually only 4
numeric digits, and yet are trusted by banks for direct access to accounts.
This is because a) banks have sophisticated systems to track brute-forcing and
other kinds of abuse, b) longer pins are more prone to being written down,
forgotten, and mistyped, and c) there are limits on how much you can purchase
/ take out per day, limiting the potential damage.

~~~
pbhjpbhj
So you're saying that having more chars in the password or more number options
in the PIN wouldn't increase security?

PIN requires you to possess a card with the account details and relevant
security data. Yes they're clonable but you can't do a distributed attack on
thousands of accounts that way.

Online, as many banks have leaked customer data, one can use a botnet to try
common passwords against thousands of customer accounts (you may need to get
account data elsewhere to do this or customer numbers may be guessable). 6
chars severely limits the passwords to try.

------
sriramk
American Express is the worst offender. They don't accept my usually long
passwords/passphrases so I had to conjure up a shorter password just for their
system.

~~~
maukdaddy
I cringe every time I log into the AMEX site. I cannot believe a financial
institution as large and with the resources they have allows that kind of lax
security. Even worse when you consider the business accounts that manage
hundreds or thousands of corporate amex cards.

------
eli
Yeah, ING Direct's password scheme is pretty lame. I assume the idea was to
use a simple numbers-only on-screen keyboard to avoid keyloggers. Seems silly,
since if malware were to target them it would obviously just track clicks
instead.

Though to be fair, they ask additional security questions if you haven't
previously logged in from that browser.

~~~
IgorPartola
<megarant>Their model sucks. First I have to now remember (can be read as
write down) a separate account number, a bunch of digits. Second I have to now
create a PIN and I can't even use a keyboard to type it in.

Account creation at ING is also awful. I created my account, but did not yet
"activate" it. Keep in mind that it did not tell me in any obvious way that I
needed to take extra steps to activate the account. Once I tried to log in it
started asking me questions like "What is your father's father's name?" and my
answer was: you cannot possibly know that yet since I haven't told you.
Eventually I figured that out.

Next comes the verification of my checking account. This was fun because I
have a joint checking account and a joint ING account. Guess what: it made me
AND my wife verify the same exact transactions. Seriously? It's just bad UX
all around. Now that I've got it set up I am fine with using it, just the
initial process was awful.</megarant>

~~~
mcantor
Actually, you can click a little "Use Keyboard" link to let you type it in.
Thank goodness.

~~~
IgorPartola
Yes, but you still can't type in the number. It just lets you use the keyboard
to navigate their "number pad".

~~~
mcantor
Weird, it lets me type the number directly into the text box.

------
pierrefar
Just 2 days ago, I got a call from Natwest bank (UK) from the credit card
fraud team. Again. I duly called back and they explained that an attempt to
use my card online failed at the Secure Code step. I explained to the caller
that Secure Code is a piece of rubbish because it uses very weak passwords
(alphanumeric only, 8 chars long) and it's the equivalent of protecting my
money by wrapping it in a piece of paper. I refuse to sign up to it or use
because it is so rubbish.

He couldn't care less. So I asked him to file a formal complaint about this
point. I doubt he did.

For those that want to know more about InSecureCode:
[http://www.mastercard.com/us/personal/en/cardholderservices/...](http://www.mastercard.com/us/personal/en/cardholderservices/securecode/index.html)

~~~
henrikschroder
It's the same as Secure3D for Visa, right?

It is actually kind of secure because the card processor never gets or knows
your extra code, but the implementation is atrocious since it requires the
website wanting your money to display a webpage from your bank. The odds of
that page integrating nicely with the website's payment flow is kinda non-
existant, and always sets my fraud alert spinning.

~~~
mmelin
Visa calls it "Verified by Visa", actually. The common name is 3-D Secure. And
yes, the implementation sucks, especially since you're dependent on the
_issuing_ bank being able to keep their 3-D Secure server up (which serves the
auth step).

------
Elepsis
Erm, Delta sure seems like an odd member of the list, doesn't it?

They require you to enter a SkyMiles number and a PIN, along with your last
name... all of which is certainly not very secure information. But ultimately,
all that gives you access to is viewing a person's SkyMiles account. It hardly
seems to make sense alongside banking sites.

~~~
Zak
Access to a Skymiles account allows booking award tickets - in any name, as
well as using any stored credit card to pay for part of the cost. I think it
also allows redirecting email notifications to another address. I think the
chances of catching the person responsible for a fraudulent use of such an
account are higher than for a bank account, but the potential harm is pretty
high.

------
1amzave
How timely! Just last night I was frustrated by a stupid policy when changing
my online banking password (my bank is now listed). I think his once-a-month
policy could stand to be more aggressive, though.

~~~
dinkumator
good point. I didn't really expect this big of a response in 24 hours, but I
may bump it up to sending a message every few hundreds votes.

------
teye
I can upvote one item as much as I want if I clear my cookies.

Voted for Amex (twice). I'm always annoyed that the 8-character limit prevents
me from using my normal password + PwdHash.

~~~
Jach
He probably should use IP logging too, but beyond that and cookies what can
you really do?

~~~
dinkumator
yeah i made it once per session, that way I don't have to track IPs. it could
be better, but its not worth the trouble/storage

------
pieter
The postbank (in the Netherlands) still have case insensitive passwords,
decreasing password complexity by orders of magnitude..

~~~
warp
ofcourse the postbank no longer exists, so you're probably talking about
ingbank.nl.

------
weaksauce
So ING direct only lets you use numbers? Is there more authentication steps
than just a login / pin combo?

------
josefresco
Hey business owner. I see that you're using a faulty window lock on your back
window and I'm concerned about my data. I took the liberty of posting on a
town bulletin board details of this faulty lock along with other local
businesses that have the same lock in hopes that the townspeople will pressure
you into improving your window lock system.

------
jdagostino
you should add a feature to flag duplicates - Westpac is listed multiple
times.

