Ars Technica has an excellent article on why many sites have security limiting password policies. I’ve written about this before on my old blog, but the Ars Technica article is particularly infuriating. So much so that this is my second attempt at writing about it; I had to abandon the first attempt for mental health reasons.
We all know the horror stories. There’s the brokerage firm that limits passwords to 5, 6, or 7 characters. Others have a seemingly arbitrary prohibition on some or all symbols. Many limit password length in arbitrary ways. Ways that suggest the passwords themselves are being stored rather than a hash of the passwords1.
But why do they have these restrictions? If they are implementing robust password security (using bcrypt, scrypt, PBKDF2, etc.) the restrictions don’t make any sense. Sure, maybe you want to limit your input buffer to 1K or even 512 bytes but that’s not a serious restriction. To find out, Ars Technica queried some of the offending sites about the reasons for their password policies.
The answers, as I say, are infuriating. One major company, which should certainly know better, says that most attacks can’t be defended against by password length and that in any event password cracking is hardly their biggest security problem. Another says that they allow only the dash and underscore symbols because symbols are harder to enter on mobile devices and customers don’t like entering them even on computers (I’m not making this up).
Go read it for yourself. There are other examples. Some make reasonable technical arguments involving regular expressions that check for password validity but here’s the thing: if you simply accept up to some number—512, say—of bytes for the password and hash the result using something like bcrypt you don’t have to do any validity checking. Hash functions don’t care what bytes you feed them and the end result of bcrypt and its brethren are a fixed length so managing storage space in a non-issue. Really, doing it right is simpler. It’s time to fix this instead of offering lame excuses. And please, stop telling me it’s raining.
Footnotes:
1 What does a maximum password of 15 ASCII characters suggest to you?