

Electronic Arts Hates Strong Passwords - Strom
http://www.kaurkuut.com/blog/electronic-arts-hates-strong-passwords

======
nettdata
Having been an Online Architect brought in for a couple of major EA projects
(other than this one) I can tell you that they have a very robust and secure
centralized user account system available.

The problem comes when you have so many different game teams with varying
experience in online security that are allowed to basically implement it as
they see fit, and basically "proxy" the account generation/creation process to
that centralized user account system. While the underlying system is very
capable, the individual game team's end-user offering can be less than
optimal, shall we say.

This particular password issue is not an EA-wide thing, to be sure.

~~~
drinian
If it's so robust, then why were these hacked passwords being stored unsalted?

~~~
nettdata
If your car has 6 gears, why are you only using one?

Again, it's all about the implementation. Some game teams opt to do their own
storage of user information rather than rely on the remote service call to the
centralized system.

In some cases, like the two projects I worked on, the central system doesn't
store all of the user data you need, so you end up storing some in the local
system, extending the centralized one. "Some" teams opted to build their own
rather than take advantage of the one that existed. (For what it's worth,
there is a lot of "build it ourselves" mentality in some teams).

This particular team have a few "interesting" things that they've done beyond
the user authentication. Their authorization and entitlement implementations
left more than a few of us from other teams scratching our heads as to how
they opted to utilize the centralized EA service. It was less than ideal, and
did cause some issues for a few other teams.

I don't want to get into it too much, but I guess if there's one message I'd
like to share it's that EA is not one big company, but rather a whole bunch of
individual development teams working on their own things. As much as there is
an attempt to centralize a lot of knowledge and services, it's by no means a
given that everyone's doing the same or right thing.

Just because one team totally screwed the pooch on stuff like this, doesn't
mean others have as well.

A lot of the teams have some leeway and discretion when it comes to what
technologies or internal services they use, and sometimes that's a good thing,
sometimes it's not.

------
yason
Someone heard "must validate all input", scratched his head for a while going
about how to validate the password field, and thus came up with _some
artificial_ limitations? If so, it's a huge misconception about what it means
to "validate" data. If not, someone's just really stupid.

This goes into the same category as validating email addresses (just go ahead
and send the confirmation email and watch me not replying in case I entered a
bad address, instead of complaining I can't use plus or some other allowed
character in it) or my phone number (if you're picky about formatting I can
already give you 01234567890 if I want so just let me, in the first place,
type in a nicely formatted "+44-123 4567890" or something that I like) or
asking me to provide something twice (I'll just copypaste from the first
field, thanks; would be more useful if you just printed a confirmation of what
I wrote onto the next page).

~~~
starwed
_asking me to provide something twice (I'll just copypaste from the first
field, thanks; would be more useful if you just printed a confirmation of what
I wrote onto the next page)._

Asking for something (normally a password or email) twice is for _your_
benefit -- to guard against typos. There are many typos you might miss visual
confirmation of, I'm fairly certain the type-twice method is a sound one.

~~~
yason
Asking passwords twice is quite ok--even Unix does it; it's the other things
sometimes asked twice which is totally useless. Most commonly it's something
like having to retype your _email address_. Woot?! You can already see it in
plaintext so you can just correct any errors there.

~~~
starwed
Argh, no! How many people would actually bother to visually verify their
address? A typo here is actually more problematic than in your password -- if
you typo that, you'll be instantly aware of it and can do an e-mail reset.

If there's a typo in the e-mail field, you won't be aware of it until you
forget your password and try to do a reset -- and for the majority of
services, that means you are now _completely locked out of your account._

------
Revisor
Unfortunately the silent limits of the password fields are very prevalent.

I found out the hard way after I'd started to use Keepass to generate and
manage my passwords.

There are even sites that have different limits for the "Change password" and
"Enter password" input fields. Eg change accepts up to 30 characters but enter
accepts only 20 chars.

Obviously they don't even know why it matters.

I think the developer just silently presumed that no one would enter such long
passwords.

The problem is really prevalent.

~~~
fmw
Limits on password length smell like plain text storage. Hashes tend to make
the length of the password irrelevant (although some bad implementations only
look at the first n characters of the string and ignore the rest), but when
you store it in a relational database row you need to come up with some
arbitrary limit.

~~~
safeaim
Hope you're not right, as Paypal only let's you use up to 22 chars if I'm not
mistaken

~~~
fmw
I'm not saying that this is the only reason why people come up with a limit on
password length, but that I can imagine that _some_ programmers who come up
with such a limit do so because of plaintext storage in a fixed length
database row (which is the only quasi-technical excuse for a limit I can up
with).

------
arkitaip
The worst example that I've seen has to be the site that could only handle
password per {6,12}[A-Za-z0-9] - incredible.

Oh, I remember another one that's just as annoying. This site simply chopped
of your password after n characters and it never gave you any kind of warning.
Took a lot of troubleshooting to find out the exact position of n.

~~~
Derbasti
Think about all-numeric PIN style passwords. I have seen banking websites that
enforce [0-9]{4,6}

~~~
David
My bank limits you to 20 characters, which I'll grant is decent. But: NO non-
alphanumerics, and, get this, is _case insensitive_.

This may just convince me to switch banks...

~~~
city41
My bank is about to roll out a new online banking system. They are requiring
us to create a new password for the new system. So in order to log into the
new system for the first time, they emailed us telling us to email them back a
6 digit pin to identify ourselves for the first login. My response is to start
looking for a new bank.

------
zimbu668
I activated an ATM card once and the automated system told me for a PIN "Many
of our customers are choosing their mother's birthday, please enter the month
and day your mother was born."

So, out of a keyspace of 10,000, they were shoehorning most of their users
into a space of 365(366). I tried to enter something that was not a valid 4
digit date and the system rejected it. I had to call back and talk to a
customer service rep to get a non-date PIN.

~~~
drdaeman
Must be a nice experience for orphans who don't know their mother's birthday.

------
plamenv
Can anyone explain why would you want a password longer than 16 characters?
Even if it's unsalted, all lowercase letters and md5 hashed, it's impossible
to bruteforce crack it. And people who use 16 character passwords are unlikely
to have them all-lowercase-lettered so it's even worse for the crackers.

Sure, the 16 char limit may be arbitrary but even if you make it 50, tomorrow
some outraged blogger will be complaining that he can't enter his
100-character password.

~~~
tedunangst
I use 16 letter or longer all lowercase passwords. They're easy to type and
easy to remember. For example, my HN password might be
ishouldbemoreproductive. It's hard to crack, but doesn't require finger
gymnastics to enter.

~~~
skimbrel
Actually, English phrases contain very little entropy -- as little as 0.6 bits
per character. This is because the rules for what constitutes a valid word or
phrase dramatically reduce the number of possible characters at a given
position. To look at it another way: take an arbitrary string of letters.
What's the probability that it forms a valid English word? Very low. Flipping
this the other way, if we know that a password is constructed of English
words, we can immediately throw out a vast majority of the search space simply
because it contains substrings that never appear in real English text.

Here's a better way to construct a strong, yet memorable password:

Take a full sentence, including punctuation and capitalization. Use the first
letter of each word as your password. For example, "I should go on Hacker News
less frequently, because I'll be more productive." becomes "IsgoHNlf,bIbmp.".
We now have three character classes in what appears to be a random sequence.

(Yes, this still has patterns due to being constructed from English. But we've
effectively taken a longer English phrase, with higher total entropy, and
compressed it into a string that doesn't exhibit the low per-character entropy
of the full words.)

~~~
tedunangst
Obviously, there are rules for what constitutes a valid phrase, but they are
rather complex for a password cracker to check.

My computer says there are 234979 words. Pick 5 and there are
716382975036689591261090899 combos. That is actually very very close to a 15
letter alphanumeric. 62 ^ 15 = 768909704948766668552634368.

I don't doubt that IsgoHNlf,bIbmp. is a secure password. But it's a bitch to
type. Especially on a phone.

------
benologist
Does it matter if they're strong if all they're going to do is md5 them?

~~~
redthrowaway
Long, random strings with weird characters are unlikely to be in any md5
dictionary, so you'd have to bruteforce it. MD5 is a fast algo so that
shouldn't take long for short passwords, but it does provide _some_ security.
If you've chosen a strong password then bruteforcing isn't a concern, so the
fact they <s>hashed instead of encrypting</s> (edit: used a weak hashing algo)
won't matter.

It's better than nothing, but not much. The fact that they md5'd it at all
suggests they were thinking about security, just not very hard or well.

~~~
Freaky
> MD5 is a fast algo so that shouldn't take long for short passwords

Indeed: <http://www.golubev.com/hashgpu.htm>

On my pair of HD 5870's I get about 6.3 billion hashes/sec - with lowercase
alphanumerics, that's up to 8 characters in about 8 minutes, 9 in 5 hours, and
10 inside a week.

~~~
redthrowaway
Pair of HD 5870's... BitCoin mining? I'd heard they were the most cost-
effective card for it.

------
rdin
I used to work at EA (now doing a YC company), you can change your password
here:

<http://profile.ea.com>

Though it doesn't fix any of the encryption limitations that they are using.

------
hebejebelus
My biggest surprise when resetting a bunch of passwords from the Sony hack was
the fact that Paypal wouldn't let me use a complex password like the one in
the article (no longer than 16 [or something like that] chars, no quotation
marks, etc.

For another service, I would have thought that'd be okay - annoying, but okay.
But a service with access to a whole bunch of my money? Not cool.

Perhaps it's changed since, but still, the fact that it once was that way is
bad enough.

------
muppetman
ASB Bank in New Zealand allows a maximum of 8 characters for your passwords.
Numbers and letters only.

That's right, all that stands between you and your account details is 8
characters.

If someone tries to transfer out over ~$200 then you get a text message on
your phone - IF you've enabled that service. So it's not the end of the world,
but it's still pretty terrible.

~~~
jlangenauer
Yes, but (like most banks) I dare say they'd lock your account after 3
incorrect attempts, and you'd have to unlock it out-of-band (e.g. calling
their call centre).

~~~
muppetman
This is a good point.

------
s00pcan
I don't get why passwords ever have to be within a certain length, it just
makes it obvious that they're not hashing it. I had to pick one between 6-10
characters (with no symbols) for my Visa securecode the other day.

------
dustingetz
speculation: last few years, password resets have been a far bigger user
hassle then compromised accounts.

obviously companies like EA will need to react to changing conditions -- which
might be challenging -- educating computer-illiterate users isn't exactly a
core business competency. Implementing more secure systems server-side only
addresses half the issue.

Maybe the problem of website credentials could be better solved in the
browser, or by the OS.

------
pandrew
The strenght(randomness), length, transfer and storage is essential. Its the
product in itself here thats limited and should allow better security for its
customers.

So when talking storage... go that nice looking search field in your imap
interface and type "password", any results? I guess its pleasant to never feel
the need to delete any mail when you can search for it. Nice collection when
attackers breach due to limitations in product.

------
benatkin
I had a similar issue a couple of days ago. reddit let me set a password that
was longer than what the login box would accept. I used the email password
reset instead of firing up Chrome Inspector so I don't know if it would have
worked had I got rid of the maxlength attribute on the input tag.

------
tensafefrogs
I really wish more companies would be publicly shamed for having poor password
practices.

Just the other day I tried to change my twitter password to a password that
contained a space, and it was denied. Their site doesn't allow passwords with
spaces.

------
treetrouble
No password policy is as egregious as American Express

[http://www.techrepublic.com/blog/security/american-
express-p...](http://www.techrepublic.com/blog/security/american-express-
password-policy-takes-the-cake/3136)

~~~
count
DEERS/RAPIDS (the DOD contractor/employee ID system, among other things) has
the best restrictions EVER: Passwords must be _exactly_ 14 characters - no
more, no less.

Passwords must contain 2 of each character type:

Caps alpha, lower alpha, symbol, number

Symbols can only be a handful, rather than anything goes.

------
dlikhten
Nice. EA aint the only ones. My online paystub system demands 6-11 characters,
and alphanumeric+a few special ones. And thats sensitiveish data. Don't worry
EA is not so terrible. (ok yes they are)... calling @lolsec and friends.

------
alanh
Backblaze enforces a limit to password length as well. Not as short as 16
characters, but still -- in Backblaze's case, we're talking about a backup of
_all_ your personal data and keys to said data.

------
pavel_lishin
Holy moly, that's really really hard to read agains that background.

~~~
beaumartinez
Shameful plug for a tool I love: use Readable. It's like Readability, in that
it strips all content other than the articles text and styles it to make it
more readable (larger, aesthetic font), but unlike Readability (or perhaps
more correctly, like Readability _used_ to be), it's lightning fast.

<http://readable.tastefulwords.com/>

~~~
pavel_lishin
Thanks! This is perfect, I dislike that Readability redirects you to their own
server. I know they have to adapt their business model, but it's killing the
usability factor.

------
mikle
16 character limit and at least some symbols... This is luxury compared to a
lot of services, even online shopping or banking sites.

Not salting though, should be against the law.

------
cdcarter
Just like sites that can't handle a capital letter in a username. What is your
database doing?

------
MichaelGG
Windows Live also has a 16 character, restricted-character limit.

~~~
saulrh
Even worse, if I remember correctly they silently truncate passwords longer
than 16 characters. I wasted nearly an hour trying to log in when they started
doing that.

~~~
baha_man
They're not the only site to silently truncate passwords, unfortunately.

(I hope you're joking about spending an hour trying to log in, though.)

~~~
saulrh
The only reason I had a Live account was for the xbox, and one day they
updated something and I suddenly couldn't log in. It took me ten or fifteen
tries to figure out why my newly-reset passwords weren't working, and it took
their system two or three minutes to deliver each password-reset email.

------
neebz
Where can you find a MD5 hash-to-source dictionary ?

~~~
pandrew
Databases are stored all over, the user creates the md5 from a string and the
webpage collect. When you reverse, they only check the hash against the
database.

[http://www.google.se/search?q=md5+reverse&ie=utf-8&o...](http://www.google.se/search?q=md5+reverse&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-
US:official&client=firefox-a)

------
hackermom
As for the "special characters" not being allowed, there is a sane and logical
reason behind this (but whether or not EA's developers had this in mind will
remain unanswered): the ASCII set is intuitively and easily available from any
keyboard setup and locale in the world. Using special characters in your
login/password, characters perhaps only available through your specific locale
and keyboard - people living abroad knows this problem well - puts users in
the situation of not being able to access the implied service if they happen
to need to when away from their personal computer, unless they know how to
summon and use an IME - something not many "ordinary" users know, trust me on
that one. It is my personal opinion that a user should never have to end up in
this situation just because he or she isn't savvy enough. The benefit of
allowing characters outside the ASCII range is obvious to most people, but the
problem that comes with it seems like something no one ever thinks about.

~~~
kennu
Bad excuse. Sure you can _warn_ the user, but completely forbidding using
secure passwords is out of the question.

~~~
hackermom
Passwords aren't inherently safe just because you use multibyte characters or
the full ASCII set, and likewise they aren't unsafe just because you don't.
It's not a bad excuse at all, but with that said it's not implied that EA took
the best route on this regardless of the reasons behind their design. It could
definitely be better.

------
thisisfmu
I would not be surprised if the subset of allowed characters was motivated by
ensuring easy input cross a variety of gaming devices and console UIs. Of
course, I also would not be surprised if this was due to sheer stupidity.

------
drivebyacct2
They also don't accept email addresses in tons of places that end in anything
other than .com (or maybe, if you're lucky, .net)

------
tomp
OMG, that's all I can say.I'm no expert on security, but the few web sites
that I wrote, I intuitively tried to do something as complicated as
possible... e.g.

    
    
      md5('something silly' + password + 'qtjwtrb89ujq309')
    

Now, if I were to make an authentication system again, I would use custom salt
for every user, something like

    
    
      sha1('random1' + username + 'random2' + password + 'random3')
    

This way, there is no way to use rainbow tables or something like that.

~~~
LukeShu
That's better, but still horribly broken. Sha1 and md5 simply aren't adequate
for secure passwords, they are still broken too quickly. You should use
bcrypt. <http://codahale.com/how-to-safely-store-a-password/> explains why,
and links to implementations of bcrypt in many environments/languages (in the
opening when he says "Use bcrypt" a hundred times).

~~~
tomp
thanks. I had something like that in mind, but didn't know what it was called.

