Cybersecurity - Memes

This is my biggest pet peeve. Password policies are largely mired in inaccurate conventional wisdom, even though we have good guidance docs from NIST on this.

Frustrating poor policy configs aside, this max length is a huge red flag, basically they are admitting that they store your password in plan text and aren’t hashing like they should be.

If a company tells you your password has a maximum length, they are untrustable with anything important.

I had to make an account the other day with the absolute worst password requirements I've ever seen:

The worst is when it either won't tell you what the character limit is so you have to just keep lowering it and retrying until it finally works, or when the infrastructure for signing up has a different character limit than the infrastructure for logging in, so you can sign up with a long password but can't actually sign in with it. I once encountered a website that had this issue for both the password AND username so I had to change my password and then contact support to change my username. Absurd.

I know a bank with a 12 character max, no symbols password restriction.

Ridiculous

Its even better when they don't tell you that your password is too long, and they truncate it somewhere unknown.

Tried a randomgen 32 character password at the local sheriff's office. Copy and pasted it directly out of my password manager into the password creation field so I know I didn't typo it and when I tried to login it wouldn't work. Took me a bit of troubleshooting to figure out what happened.

A prominent Australian bank has these requirements:

For Internet Banking, your password must be six to eight characters long.

To improve security, it should:

contain both numbers and letters.
include upper and lower-case letters (your password is case sensitive).

worst i've seen is 8 characters. precisely 8 characters, no more no less........ it was for a bank ....

I got this from a bank. A BANK. Not only was it limited to 12 characters. THEY ALSO LIMITED THE SPECIAL CHARACTER SET.

I complained and was told, oh that's why we have the security number for (a unchanging six digit code), and I'm like, that's basically 1 password with 18 character limit and 6 of the characters are definitely numbers.

Not only that, 2FA is not available for logon, it just says "to authenticate certain types of Internet and Mobile Banking transactions".

I couldn't believe it. Surprise, surprise, there are no minimum password security regulations in Australia...

similarly:

make a new account

use password manager to generate a strong random password

"your password must contain at least one special character (! @ # $ % ^ or &)"

"correct horse battery staple" is for your password manager password. The regular passwords for services should be random character gibberish.

Edit: to be clear, though, I'm not excusing their failure to allow >16 characters of gibberish.

Eons ago, I got an account for using a software on an IBM mainframe. Keep in mind that the machine used masks with fixed-width text fields on the terminal (TN3270, IIRC), even for the login mask. Being security cautious, the first thing I did after login was to change my password. The "change password" mask allowed for passwords of up to 12 characters, which I used freely. I logged out, got back to the login mask - which only allowed for an eight character password...

No need to escape, if the table name for ; drop table ... -- doesn't fit 😉

ADD FIELD PASSWORD VARCHAR(16)

Tell me about it. USAA has a password policy of "between 8 and 12 characters."

Like, that's not even secure under old understandings of secure. A max of 12 should be, like, an actual offense with sanctions attached if they get hacked at some point. Especially for a financial institution. Ridiculous.

Definitely used a one-off password for that one...

My current employer has the dumbest restrictions for passwords to our core system. It is a large regional bank. Our core system must have a password that is either 7 or 8 characters long (nothing shorter or longer). It cannot have any vowels or special characters. It cannot have any capital letters. It cannot have two numbers in a row.

Fuck this! My bank has this, and not just that, the limit is 6 digits, that's right, only digits and only 6 of them.

My balance is harder to guess than my password (if you include cents)

Fuck!

I used to have to use a government-run website that required passwords to be exactly 8 characters

Ran into this when I chose a password for my new work e-mail. As my employer is Chinese, error messages show up in mandarin, so it took me a while to understand what the problem was: Must be between 9 and 16 characters long.

How to properly set password requirements on your website. Accept any utf8 string. Have a nice day.

This one time I got this catch22 situation with a service.. Turned out password reset in the Android app accepted 32 characters but in the browser less.

My favorite was "Your password must begin with a letter"

The answer is always a poorly coded database. :(

Here is a screenshot from the page where my meme came from. But it it not the only company out there with ridiculous password policies.