29328.gif

12/07/2009

Password security for boneheads

You might think that, by now, most critical Web applications would have figured out password security. You know -- requiring strong passwords, not storing those passwords as plain text, that kind of thing. Unfortunately, you'd be wrong.

Take this example, copied from a financial services company customer portal:

The password may not contain any of the following characters: ", ~,!, @, #, $, %, ^, &, *, (,), +, =, \, |, {, }, [,], <, >, ?, blank or tab.

[ Are your organization's passwords strong enough? | InfoWorld's Roger Grimes shares more advice on managing passwords: "Prepare for the next password attack" | "Password size does matter" | "Getting a grip on better password hashes" ]

Now, blank and Tab are acceptable, but for the love of God, why can't I use special characters in my password? What possible security policy could forbid their use? Who decides this stuff?

But that's not all. This particular site also forces password changes every two months -- and new passwords cannot be the same as any of the past 10 passwords. That's nearly two years. Most people, unfortunately, use the same password on a variety of sites, so there's some basis in reality for this policy, but this particular site happens to be a read-only mortgage information site. I can log in and check my mortgage balance and whatnot, but I can't really do anything more damaging than pay my mortgage. Naturally, I log into the site only a few times a year, and every single time I have to change my password to a password that I wouldn't use for anything simply because it's weak. Then I either have to remember it, write it down, or save it my browser. More often than not, I have to go through the password recovery rigamarole.

More disturbing is the way password recovery works on some of these sites. At least half the time, when I get the (unencrypted) recovery e-mail, my password is right there in the message, in plain text. That means the site is storing all those passwords in plain text in a database -- one that's being backed up somewhere and is probably readable by a significant number of admins and possibly anyone who happens to snag a backup tape. It's a catastrophe waiting to happen.

TOP