Hacker News new | past | comments | ask | show | jobs | submit login

>Disallowing spaces is particularly annoying for a company with a strong security requirement, as passphrases are simultaneously far more secure and far more memorable than the monkey rules your validation demand.

I just don't understand the logic behind some of these password rules. Wouldn't it require more effort to explicitly disallow certain characters? Like, they wrote code somewhere that is specifically making sure your password doesn't have a spaces, and other arbitrarily chosen characters.

It doesn't make sense to restrict anything in passwords other than length (and of course testing that is meets certain complexity/length requirements-- smartly). Just set your DB field to be 30 characters, accept any character, and be done with it.

There must be some logical explanation behind why companies implement these rules. And banks are the worst. Because people far more experienced than me at programming (e.g. Evernote devs) make these decisions, so there must be some reason. Is the decision a defense against SQL injection techniques? Since injections usually contain spaces. But then again, this is 2013 so you think they would use prepared statements, or something.

Madness!




My understanding is that banks have these weird rules because of the legacy systems that they interface with. I've even heard of new systems built on top of old ones by writing an interface layer on top of the green-screen UI of the old system (i.e. automating the green-screen interaction / screen scraping).


I used to have an account with New England Merchants Bank. My ATM PIN was seven digits. But I noticed that the ATM screen would flash after the first four. A little trial and error revealed that that was all I needed to enter! Comparing notes with friends (this was before the internet) revealed that this little secret was common knowledge.

Subsequently, NEMB got subsumed by successively larger banks, until, finally, Bsnk of America took over. Suddenly, my ATM card wouldn't work! It turned out that they had kept my full PIN on file through the whole chain of acquisitions, but only with B of A did they start comparing ATM PIN entry against the full PIN! My card still worked with the full PIN (which I still remembered, it being an old phone number).


Some banks have IVR systems that allow users to log in to their account via telephone, so they only allow characters that can be entered via the touch-pad.

When you first create your password they translate the characters to the numerals on the phone and then hash it.

In my experience that is the most common reason why you'll see password for policies like: "Your password must be between 6 and 20 characters and only contain upper and lower case letters."


Since you're only going to store the hashed value, there's no practical reason to limit the maximum length of the password.


"Since you're only going to store the hashed value"...

Look fellas, we've got an optimist over here!


netteller (I think was the name?), an online banking system used by many smaller banks, including the bank I used to bank at in Tennessee, used to require passwords be exactly 6 alphanumeric characters. This didn't change until just a year or two ago. Scary.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: