this post was submitted on 18 Aug 2024
833 points (98.8% liked)

Cybersecurity - Memes

1975 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
833
submitted 3 months ago* (last edited 3 months ago) by cron to c/cybersecuritymemes@lemmy.world
 

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

top 50 comments
sorted by: hot top controversial new old
[–] faltryka@lemmy.world 137 points 3 months ago (22 children)

This is my biggest pet peeve. Password policies are largely mired in inaccurate conventional wisdom, even though we have good guidance docs from NIST on this.

Frustrating poor policy configs aside, this max length is a huge red flag, basically they are admitting that they store your password in plan text and aren’t hashing like they should be.

If a company tells you your password has a maximum length, they are untrustable with anything important.

[–] cron 86 points 3 months ago

Oh I had the same thought. Whoever limits password length probably has many other shitty security practices.

[–] slazer2au@lemmy.world 31 points 3 months ago (2 children)

If a company tells you your password has a maximum length, they are untrustable with anything important.

Lemmy-UI has a password limit of 60 characters. Does that make it untrustworthy?

[–] cron 55 points 3 months ago

OWASP recommendation is to allow 64 chars at least:

Maximum password length should be at least 64 characters to allow passphrases (NIST SP800-63B). Note that certain implementations of hashing algorithms may cause long password denial of service.

The lemmy-UI limit is reasonably close and as everything is open source, we can verifiy that it does hash the password before storing it in the database.

There is a github issue, too.

[–] faltryka@lemmy.world 14 points 3 months ago

It being open source helps because we can confirm it’s not being mishandled, but it’s generally arbitrary to enforce password max lengths beyond avoiding malicious bandwidth or compute usage in extreme cases.

[–] unmagical@lemmy.ml 20 points 3 months ago (11 children)

If a company tells you your password has a maximumn length, they are untrustable with anything important.

I would add if they require a short "maximum length." There's no reason to allow someone to use the entirety of Moby Dick as their password, so a reasonable limit can be set. That's not 16 characters, but you probably don't need to accept more than 1024 anyway.

load more comments (11 replies)
[–] clearedtoland@lemmy.world 14 points 3 months ago (1 children)

The number of government websites that I’ve encountered with this “limitation.” Even more frustrating when it’s not described upfront in the parameters or just results in an uncaught error that reloads the page with no error message.

load more comments (1 replies)
load more comments (18 replies)
[–] akilou@sh.itjust.works 60 points 3 months ago (4 children)

I had to make an account the other day with the absolute worst password requirements I've ever seen:

[–] cron 37 points 3 months ago (1 children)

Do you know the password game?

The digits in your password must add up to 25.

load more comments (1 replies)
[–] halloween_spookster@lemmy.world 15 points 3 months ago (1 children)

When I was working on a password system a few years ago, I found some amazingly bad password requirements. One that stuck with me was it couldn't contain any two digit years (e.g. 08).

I'll also leave this here: https://dumbpasswordrules.com/sites-list/

load more comments (1 replies)
load more comments (2 replies)
[–] paris@lemmy.blahaj.zone 55 points 3 months ago* (last edited 3 months ago) (4 children)

The worst is when it either won't tell you what the character limit is so you have to just keep lowering it and retrying until it finally works, or when the infrastructure for signing up has a different character limit than the infrastructure for logging in, so you can sign up with a long password but can't actually sign in with it. I once encountered a website that had this issue for both the password AND username so I had to change my password and then contact support to change my username. Absurd.

[–] Nicadimos@lemmy.ml 17 points 3 months ago

I used to manage a system that had a longer character limit on the creation than in the sign in. To fix it, they just let you type in more characters when you signed in but only validated the first 8 anyway. 🤦‍♂️

Honestly at that point, it's not worth using the service to me if I have to contact support just to sign in.

load more comments (2 replies)
[–] 9point6@lemmy.world 49 points 3 months ago (14 children)

I know a bank with a 12 character max, no symbols password restriction.

Ridiculous

[–] nokturne213@sopuli.xyz 28 points 3 months ago

Mine does not allow spaces. They used to use a 4 digit pin as 2FA. Not a new pin you got every time you logged in, the same 4 digit pin.

[–] cynar@lemmy.world 15 points 3 months ago

A lot of bank computing is a complete clusterf@#k. Getting even basic changes and bug fixes requires it being signed off on by various regulators and committees. Apparently, 18 months for a 1 line change is normal. This has ended up with layers of new work being frankensteined onto older systems. E.g. Internet banking, for a long time, physically printed checks, via an automated machine, posted them, and then had them read in, via an automated machine. Hence why Internet bank transfers took 2-3 days.

I had issues with my banks truncating my password a while back. It only looked at the first 8 characters.

[–] AlecSadler@sh.itjust.works 11 points 3 months ago (1 children)

One of my past banks used to be case-insensitive. They aren't anymore (as far as I know). Their name starts with Key and ends with Bank.

load more comments (1 replies)
load more comments (11 replies)
[–] youngalfred@lemm.ee 38 points 3 months ago (4 children)

A prominent Australian bank has these requirements:

For Internet Banking, your password must be six to eight characters long.

To improve security, it should:

contain both numbers and letters.
include upper and lower-case letters (your password is case sensitive).

load more comments (4 replies)
[–] Lycist@lemmy.world 38 points 3 months ago (7 children)

Its even better when they don't tell you that your password is too long, and they truncate it somewhere unknown.

Tried a randomgen 32 character password at the local sheriff's office. Copy and pasted it directly out of my password manager into the password creation field so I know I didn't typo it and when I tried to login it wouldn't work. Took me a bit of troubleshooting to figure out what happened.

[–] cron 11 points 3 months ago (1 children)
load more comments (1 replies)
load more comments (6 replies)
[–] lseif@sopuli.xyz 33 points 3 months ago (12 children)

worst i've seen is 8 characters. precisely 8 characters, no more no less........ it was for a bank ....

[–] dwemthy@lemdro.id 16 points 3 months ago (1 children)

A major US bank that I used to use has case insensitive passwords, found that out one day when I noticed caps lock was on after logging in with no trouble

[–] viking@infosec.pub 12 points 3 months ago (4 children)

Makes you wonder if they store the password in plain text, or convert to lower key during your first input so it's at least hashed. I wouldn't be surprised if it's not.

load more comments (4 replies)
load more comments (11 replies)
[–] MisterFrog@lemmy.world 32 points 3 months ago

I got this from a bank. A BANK. Not only was it limited to 12 characters. THEY ALSO LIMITED THE SPECIAL CHARACTER SET.

I complained and was told, oh that's why we have the security number for (a unchanging six digit code), and I'm like, that's basically 1 password with 18 character limit and 6 of the characters are definitely numbers.

Not only that, 2FA is not available for logon, it just says "to authenticate certain types of Internet and Mobile Banking transactions".

I couldn't believe it. Surprise, surprise, there are no minimum password security regulations in Australia...

[–] grue@lemmy.world 24 points 3 months ago* (last edited 3 months ago) (1 children)

"correct horse battery staple" is for your password manager password. The regular passwords for services should be random character gibberish.

Edit: to be clear, though, I'm not excusing their failure to allow >16 characters of gibberish.

[–] lurch@sh.itjust.works 23 points 3 months ago* (last edited 3 months ago) (1 children)

No need to escape, if the table name for ; drop table ... -- doesn't fit 😉

guy tipping his head meme captioned "you can't get hacked, if they can't fit enough SQL in the password field"

load more comments (1 replies)
[–] Treczoks@lemmy.world 23 points 3 months ago

Eons ago, I got an account for using a software on an IBM mainframe. Keep in mind that the machine used masks with fixed-width text fields on the terminal (TN3270, IIRC), even for the login mask. Being security cautious, the first thing I did after login was to change my password. The "change password" mask allowed for passwords of up to 12 characters, which I used freely. I logged out, got back to the login mask - which only allowed for an eight character password...

[–] HowManyNimons@lemmy.world 22 points 3 months ago (6 children)

ADD FIELD PASSWORD VARCHAR(16)

load more comments (6 replies)
[–] testfactor@lemmy.world 21 points 3 months ago (7 children)

Tell me about it. USAA has a password policy of "between 8 and 12 characters."

Like, that's not even secure under old understandings of secure. A max of 12 should be, like, an actual offense with sanctions attached if they get hacked at some point. Especially for a financial institution. Ridiculous.

Definitely used a one-off password for that one...

load more comments (7 replies)
[–] CafecitoHippo@lemm.ee 19 points 3 months ago (7 children)

My current employer has the dumbest restrictions for passwords to our core system. It is a large regional bank. Our core system must have a password that is either 7 or 8 characters long (nothing shorter or longer). It cannot have any vowels or special characters. It cannot have any capital letters. It cannot have two numbers in a row.

load more comments (7 replies)
[–] MTK@lemmy.world 17 points 3 months ago (1 children)

Fuck this! My bank has this, and not just that, the limit is 6 digits, that's right, only digits and only 6 of them.

My balance is harder to guess than my password (if you include cents)

Fuck!

[–] meliaesc@lemmy.world 16 points 3 months ago (3 children)
load more comments (3 replies)
[–] Revan343@lemmy.ca 16 points 3 months ago (2 children)

I used to have to use a government-run website that required passwords to be exactly 8 characters

load more comments (2 replies)
[–] neidu2@feddit.nl 15 points 3 months ago* (last edited 3 months ago)

Ran into this when I chose a password for my new work e-mail. As my employer is Chinese, error messages show up in mandarin, so it took me a while to understand what the problem was: Must be between 9 and 16 characters long.

[–] x0x7@lemmy.world 14 points 3 months ago (7 children)

How to properly set password requirements on your website. Accept any utf8 string. Have a nice day.

load more comments (7 replies)
[–] joeldebruijn@lemmy.ml 13 points 3 months ago (1 children)

This one time I got this catch22 situation with a service.. Turned out password reset in the Android app accepted 32 characters but in the browser less.

load more comments (1 replies)
[–] Ptsf@lemmy.world 13 points 3 months ago (1 children)

The answer is always a poorly coded database. :(

[–] herrvogel@lemmy.world 17 points 3 months ago (4 children)

What? The password should only receive the hashed password, and that's gonna have a fixed length. What's stored in the db should have the exact same length whether the password is 2 characters long or 300. If the length of the password is in any way a consideration for your database, you've royally fucked up long before you got to that point.

load more comments (4 replies)
[–] BradleyUffner@lemmy.world 12 points 3 months ago (1 children)

My favorite was "Your password must begin with a letter"

[–] Sibbo@sopuli.xyz 18 points 3 months ago (1 children)

"Otherwise our database may misinterpret it as a number when we store it in pain text"

[–] haui_lemmy@lemmy.giftedmc.com 18 points 3 months ago

pain text

Accidentally accurate

[–] cron 11 points 3 months ago

Here is a screenshot from the page where my meme came from. But it it not the only company out there with ridiculous password policies.

load more comments
view more: next ›