No sooner had I pushed my Bad Passwords post than I stumbled on this post by Marc Bevand over at Zorinaq. Bevand reports that VISA's Verified by VISA authentication system forces users to select weak passwords (this may not be VISA's fault, see below). Passwords so weak that if they were used on a Windows machine they could be bruteforced in less than two and a half hours. Valid passwords under VISA's rules must be between 6 and 8 characters long (inclusive) and use only letters and numbers. Thus the key space is 628 + 627 + 626 = 221,918,520,426,688. That may seem a big number but it's well within bruteforce territory.
It seems there is little hope of having the banks and other financial services enforce a secure password policy. After all,
password are both valid passwords for Verified by VISA.
All of this is a shame because VISA is, of course, a tempting target and it's not unreasonable to assume that sooner or later someone will manage to get their password hashes. From there, it's an easy step to bruteforce them and start looting accounts. It's also a shame that responsible customers who would like to use secure passwords are prevented from doing so. It's hard to see any reason for VISA's password policy other than some PHB assuming the mantle of security expert and just decreeing them out of ignorance.
Just as I was getting ready to publish this, I read some additional comments to Bevand's post and there are two more points worth mentioning from them.
- The password policies for Verified by VISA are set by each VISA card issuer so the culprit in this case is the individual bank. Another commenter reported that Barclay's doesn't even hash the passwords, which is truly shocking.
- Apparently, (at least some) banks will reset your password given your birth year and month and some card data. This commenter remarked that it hardly matters that the passwords are weak since an attacker could just reset them using data that is reasonably easy to obtain.