Friday, August 3, 2012

Poor password capabilities frustrate me

There's really no excuse.  There's no excuse at all for weak password capabilities, especially for financial services companies. 

Outline of security
I recently attempted to increase the complexity of my online banking passwords.  It should have been simple, but the dizzying array of requirements made it more difficult than it needs to be. And the requirements were awful!  I don't mind if complexity isn't required (ok, I do, but that's a different issue)  but let me pick whatever password I can remember.

There are dozens and dozens of sites that describe what is a good password, and how to choose it.  For example, see Microsoft, Google, Naked Security and xkcd sites.  However, the password capabilities on the system have to support strong passwords.  I found that many banking systems did not.  Let's start with what I wanted to use.  It was similar to:
      ValidSpeedLimitzR: {30|45|55}nearHome
but I couldn't even come close. Forget that it's 37 characters, it's easy to type, secure and I can remember it.  The problem was the password capabilities on the online banking system.  They limit password entropy and make it less secure.  See below: 

American Expreess:
  • Must be different from your User ID
  • Must contain 8 to 20 characters, including one letter and number
  • May include the following characters: %,&, _, ?, #, =, -
  • Your new password cannot have any spaces and will not be case sensitive.
  •  Must contain 7-32 characters
  •  Must include at least one number and one letter
  •  Cannot include special characters (&, %, *, etc.)
  •  Cannot be the same as your User ID
  •  Cannot be the same as any of the last five Passwords you've used
  • Password must be 6 to 32 characters long and contain at least one number.
  • No special characters 
Fidelity Investments: 
  • Use 6 to 12 letters and/or numbers
  • Do not use symbols, punctuation marks, or spaces (e.g., #, @, /, *, -.)
Granted, some special characters are hard to type on mobile devices like iPhones and iPads. And in the "olden days" you worried about people embedding html or javascript inside an improperly parsed form field so that may be a motivation not to allow special characters.  But, there's no reason not to allow a long password.  No real reason not to allow special characters or spaces today.   And certainly there's no possible reason NOT to make it case sensitive. I'm not saying require them because that's a whole other discussion, just permit  it. 

How can we expect to have encourage users to strong passwords if the systems don't support them!  Come on financial companies, you must do better!


Update 1: 2012-08-03

I was so frustrated, I sent this tweet to @AskAmex:
@AskAmex I changed my online password and found weak pw policies--not even case sensitive! Why not?

to which @AskAmex replied:
@luriep Hi Peter, thx for feedback. Our PW policies meant to be secure but easy for our customers to use. Use %&_?#= for addl security. ^M

Which, of course, is bogus:

AmEx suggests {AZ09%&_?#=} = 42 characters
Stronger way: {azAZ09%&_?#=} = 68 characters (although I'd argue you should support 32 and not 6 special characters, but that only makes the point much bigger)

42 is less than 68 and the difference skyrockets  when you take it to ^8 or ^20 (based on pw length).  I don't see their password policies as anywhere near secure as they very easily could be...

No comments:

Post a Comment