The other day I wrote about the stupid password policies and handling that many sites have. It appears that I’m not alone in being infuriated by this nonsense.
David Pashley has his own post documenting some of the silliness. In the unlikely event that those of you in Europe believe yourselves immune to this madness, many of his example are from European sites.
One of the points in my original post was the rule of thumb that any restriction is an indication of security problems. Sadly, sometimes the indications are a bit more subtle. Pashley gives the example of a site that appeared fine but then he discovered that his 30 character password had been truncated to 20 characters. Just knowing that is a sure fire tip off that the passwords aren’t being hashed but it gets worse. Pashley says he discovered the truncation because when he exercised the “lost password” option they emailed him his password (truncated to 20 characters) in the clear. So not hashed; original passwords stored. Inexcusable.
Let me say it again: if a site is handling your password correctly, there won’t be any restrictions on length or characters. If a site does have such restrictions, proceed cautiously.