Password Security - Or Lack There Of

Snowulf

Calendar

Back February '10 Forward
Su Mo Tu We Th Fr Sa
Tue February 9 2010
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28            

Categories



All categories

Feeds

Blog Administration

Open login screen

Friday, September 28. 2007

Password Security - Or Lack There Of

I have to tell you about something that really pisses me off. That is sites with really crappy password security policies. I don't mean the sites that require alpha, numeric & symbols - it makes sense, makes it harder to brute force. The sites that really piss me off are the sites that unreasonably limit your password length. I use a password that is between 11 and 18 characters long, depending on the security level. Granted, 18 characters is a bit long for most people, but I like to have my passwords a little longer, a little more secure. I can accept sites limiting you to something like 16 characters. Microsoft's "Live" service does this (it truncates w/o warning) and US Bank does the same thing (again, Silently). But I found a financial site today that I just want to stab, for having such STUPID password policies.

American Express

Yes. The very same company that brought you the unlimited "Black" card (properly known as the "Centurion Card") has one of the WORST password requirements I've ever seen. My AIM password is more complex that their system allows!!! If you are wondering exactly what their policy is, here you go (Direct from their Registration Page):
Your Password should contain 6 to 8 characters . at least one letter and one number (not case sensitive), contain no spaces or special characters (e.g. &, >, *, $, @) and be different from your User ID.

You read that correctly, they allow a max password length of 8 characters. Its case insensitive. Oh, and you can't use special characters. ... I'm sorry... WHAT THE F***?!!?!?! This is a financial website!!! This is a big company!! They should know freaking better!! MY USERNAME IS LONGER THAN MY PASSWORD!! There are huge concerns about phising on the internet, and brute forcing an 8 character password is cake for computers these days. This password limit is arbitrary and asinine at best.

Ok... Calming down here. I really am a big fan of internet banking. I love being able to do everything online. I just signed up for American Express, and I'm already tempted to cancel my account simply due to this password policy. Compared to every other financial website I use, American Express is just depressing. Many financial companies websites go as far as making you register your computer (annoying, but it is more secure). Some you have to enter multiple pieces of secure information. Am Ex? 8 Characters, tops. I'm not asking for them alot. In fact, if anyone from American Express reads this, this is exactly what I want:
  1. You need to increase the max length to at least 18 characters.
  2. You need to make the alpha text case sensitive.
  3. You need to allow for symbols.


Update (2007-09-28 @ 11:10) I actually wrote American Express customer service last night and asked them about this. They sent me back a nice canned response. Its about a page long, but here is the "important part":
Please be advised that American Express monitors all accounts to detect suspicious activity and we do not hold our Cardmembers liable for any unauthorized charges.

If you suspect that you have unauthorized charges on your statement, please contact us at the number on the back of your Card as soon as possible (24 hours/7 days). If you are outside of the United States, please call us collect at 1-336-393-1111. For a list of phone numbers, please visit

So there you go. American Express apparently believes more in their background monitoring than the need for passwords. Ok, Fine. I still wish I could use some of my regular passwords though.

Update (2007-09-28 @ 12:05) This article made top 10 at Digg. What the Duce?!
Posted by
Jon
in Tech at 01:03 | Comments (39) | Trackbacks (0)
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as (Linear | Threaded)
i was under the impression that the username wasnt that important ...
it was the password that needs to be casesensitive and stuff ...
guess i was wrong ...
but for a lay guy like me ...
an 18 character username or password is an overkill ...
but you may be right ...
better to be safe than sorry ... especially when you say its a piece of cake to brute force your way in ...
#1 subcorpus (Homepage) on 2007-09-28 09:44 (Reply)
I recently got an AmEx card and noticed this problem as well. Normally my passwords aren't terribly complex, but I have a separate permutation of my usual one that I use for financial services sites and I can't use it there. I am also considering cancelling the card for this reason.
#2 Yoweigh on 2007-09-28 10:09 (Reply)
Don't get quite so upset.

You wrote:
> brute forcing an 8 character password is
> cake for computers these days

Sometimes. If you give the computer the encrypted password (the "right answer") and let it crank, yes, it is easy.

But American Express is probably rate limiting attempts. They are limiting the number of attempts per account, or per attempting IP address, or both. A slow enough rate can make a relatively small password space quite secure. ATMs do the same thing. Too many bad tries and they seize the card, right?

That doesn't mean they couldn't do better, and that doesn't mean that if an encrypted or hashed copy of the passwords leaked out they wouldn't be easy to hack. It just means that they aren't as open as you make it sound.

-kb
#3 Kent Borg on 2007-09-28 10:21 (Reply)
I'm actually not a total idiot and do understand this concept. I realize that an 8 character password can be kinda secure, as long as they don't allow it to be brute forced.

Even still. Its a ridiculous requirement.
#3.1 Jon (Homepage) on 2007-09-28 10:24 (Reply)
Common, you are right on the point that AmEx is silly here, but clinging on to "kinda secure" is silly.

If they can rate limit attempts, it *is* secure. Not "kinda", but "is". However, the "if" part is key.

Say they rate limit to 1 try every two seconds.

To brute force a random 8 character alphanumeric password with 50% probability would take over 90,000 years.

That is pretty damn secure. And they are not going to leave the account open that that much probing. They probably permanently lockout a password after a few handfuls of attempts. Actually, they are probably annoying and kill the password after a very small number of attempts. I have had passwords die after only three attempts.

BUT, the "is" secure assumes that the brute force rate really is limited. If something goes wrong and the Bad Guys get a copy of a backup tape...the security collapses.

Like an ATM PIN, AmEx is counting the Bad Guys never getting a copy of the password file.

Still, better than an ATM PIN: I have a bank account that used to have a 6-digit PIN, but they reduced it to 4. Maybe being that secure was not compatible with the rest of the banking world.

Thanks for pointing out AmEx's silliness,

-kb
#3.1.1 Kent Borg on 2007-09-28 11:03 (Reply)
You are correct. I am. Maybe I just want the warm and fuzzy feeling of knowing that my password is longer than my username. Or that my password on American Expresses website is more secure than my AIM password.

Its all about the illusion of security.
#3.1.1.1 Jon (Homepage) on 2007-09-28 11:25 (Reply)
That's funny! Chase Visa is the same way! Actually - I can never remember my password for them because it's not among my standard routine. I have to dumb it down so much that I have to use the 'forgot password' feature almost every time that I use the site. That sucks.
#4 Jeff (Homepage) on 2007-09-28 10:57 (Reply)
Exactly!

Officially, its poor practice to use a single password everywhere. I'm guilty of that myself, from time to time (too many junk websites). But when I can't even use anything remotely similar to my standard password affair... I'm lost.
#4.1 Jon (Homepage) on 2007-09-28 11:03 (Reply)
Brute force isn't going to happen, at least not from the web based form. Your probably get 3 tries or so before the account is locked out completely. Your real fear should be using the same user/pass for every site. I used to do it then with some recent news from the web I decided it was a supremely bad idea. If I started a fake torrent, or nifty social networking site and 1000 people signed up how many of those do you think have a gmail, yahoo, or hotmail account and use the same user/pass? My guess is enough to do some damage. That's why I used a random pass generator. 20 char upper/lower numbers and special chars. I can't remember any pass so I keep them all in a text file and encrpyt it. I save all of my passwords in my browser as well. Some browsers are secure like safari and use the keychain others are plaintext but I use FileVault which keeps all of this encrypted so I feel like even if the NSA stole my computer I would have enough time to change all of my passwords. At that it is highly unlikely that a laptop thief would know how, or even try to break encryption.
#5 Nick on 2007-09-28 11:08 (Reply)
I just noticed the same thing yesterday after AMEX called me and told me someone compromised my card, I went online to change my password and had a lot of problems..
#6 Anonymous on 2007-09-28 11:10 (Reply)
Even a long/complex password (while better than short/simple) is fairly useless on a bank / payment card or other financial website. Use an internet cafe or an internet service terminal in a hotel lobby and chances are some bright spark will have installed a keyboard logger on it. Your login details will be transmitted to a crook in some third country within seconds if you use a computer with a keyboard logger installed. Most European banks and card companies require multi-factor identification at login - and one of these codes changes every 30 or 60 seconds, using a clock type device (eg RSA secure ID or similar). Any financial organization allowing account access - especially funds transfer services - without multi-factor identification is grossly negligent in my opinion.
#7 Mike Allen on 2007-09-28 11:13 (Reply)
Correct. Many banks are going to MultiFactor. Even if they aren't keyfobs. Places like ING Direct "map" 0-9 to random alpha characters, and then make you punch in your password using the alpha characters. Of course it changes after every login attempt, that way even if there was a key logger, you are safe. It is a little of a pain at first, but you get used to it. (Plug they give you a graphical pad you can click the numbers instead of typing).
#7.1 Jon (Homepage) on 2007-09-28 11:19 (Reply)
I don't reuse passwords on different sites. I suggest password reuse is the second biggest security hole for most people.

Biggest security hole: Typing passwords on keyboards that are bugged. Maybe because the computer at the internet cafe has a keylogger on it. More likely because you are using Windows at home and some spyware is reporting back.

I use Linux. I am conservative about what I install. I don't browse the web or read e-mail as root (administrator), so I trust this keyboard and I don't type passwords on other keyboards. I have a small notebook computer, I carry my notebook with me and use it.

-kb
#7.2 Kent Borg on 2007-09-28 13:54 (Reply)
The keyboard logger overcomes all types of password - no matter how long the pw is (eg 25vlh-4DuW-^j':FBh.z/
#7.2.1 Mike Allen on 2007-10-12 22:52 (Reply)
Also note that AmEx is the only credit card I have that refuses to provide single use credit card numbers for online and phone ordering. The others usually even let me set money and time limits, letting me proactively protect myself from merchant fraud as well as credit card theft. I suppose they actually prefer that I complain after I am wrongfully charged.
#8 Gaurav on 2007-09-28 11:21 (Reply)
Card companies have funny ways of going about things. Maybe American Express just thinks of itself as so elite that it doesn't need to trouble its users with things like security, or worrying. But you know what. I'm not liable, so... I guess who am I to complain. They loose the money... and I get to sit on my soap box saying "I told you so".
#8.1 Jon (Homepage) on 2007-09-28 11:36 (Reply)
I could never understand why different websites would force me to a maximum password of 8 characters. Where they that hard up on filesystem space that they couldn't store longer passwords?

And even if they do limit your tries, a hacker could set up bots on unknowing computers using a virus, worm, or trojan house. Those bots could all try passwords on the website until one worked, then transmit the password that works back to the evil hacker. That type of parallel brute force would work much faster with an 8 character password limit than if the website had a password limit longer than 8 characters.
#9 Dennis on 2007-09-28 12:30 (Reply)
Someone hijacked my AMEX number last year and made some charges. It took me about 5 phone calls and talking to a supervisor before I got it cleared. They apparently do not monitor charges very closely either because these were unusual charges that should have sent off a ton of red flags. I still have an AMEX, but I'm not crazy about them at all and don't use them anymore for online purchases.
#10 James (Homepage) on 2007-09-28 13:02 (Reply)
That is kinda scary. Its not supposed to take several calls. It is supposed to take one. I will keep that in mind though, hopefully I wont have a problem with it.

In reality, the only reason I got one was for use at Costco.
#10.1 Jon (Homepage) on 2007-09-28 13:12 (Reply)
I agree with Kent, reuse of passwords is much worse for secure websites then limited length. If AMEX password policy forced you to choose a different password than normal than Kudos to them.

To be fair, when I signed up for AMEX 2 years ago I found the 8 character password limit ridiculous. I use password safe and like to keep my passwords between 12 - 20 characters of random gobbley gook. Instead of calling AmEx (which you proved is pointless) I made my USERNAME a bunch of gobbleygook...
#11 Joe on 2007-09-28 18:51 (Reply)
Perhaps you have the right idea there, Joe. Make both the password and username random junk.

I do use KeePass to keep my passwords. Even still, I'd prefer it if I didn't have to obfuscate my username because their password policy sucks.
#11.1 Jon (Homepage) on 2007-09-28 19:33 (Reply)
I was fully shocked by this rubbish when I signed up for my amex card some months back.

Not to mention their UI for your bill and points absolutely sucks ass! I mean, seriously...it REALLY sucks.

How can you have a UI for a credit card that doesn't easily show you all the latest transactions in a nice, easy-to-understand way? i.e. what payments were made, what charges were made.

That too much to ask?
#12 Marc on 2007-09-28 18:52 (Reply)
Yes indeed. A decent UI is too much to ask. Obviously its better to have a Web 2.0 interface with all sorts of fun ajax and cool features, rather than a website that gives you the IMPORTANT information.

I can't really complain too much though, I've seen worse UI's, and I've seen better. I'm sure whom ever designed it, thought it was cool, made sense, and was useful.
#12.1 Jon (Homepage) on 2007-09-28 19:35 (Reply)
Gee, what's with the whining? Use a fucking 8 character password and stop making such a fuss, you fucking crybaby
#13 ucrybaby on 2007-09-29 01:04 (Reply)
ROFL. Hilarious. I love it.
#13.1 Jon (Homepage) on 2007-09-29 01:42 (Reply)
I understand that AmEx is not going to allow brute force unlimited attack tries, but what bugs me is that I have a password system -- yes, it varies from site to site somewhat, but it's longer than 8 characters. Now, when I go to my Amex account, I have to remember that my usual password technique doesn't apply here.

I'd rather a site that warns you that only eight characters apply, but lets you input more and just truncates.
#14 jase on 2007-09-29 09:33 (Reply)
Indeed. I can't tell you how many times I've completely forgotten a password because sites have different password restriction. But... 9 times out of 10, if I go to the signup page, and read the password policy, I'll remember what it was.
#14.1 Jon (Homepage) on 2007-09-29 12:57 (Reply)
I've learned a few tricks over time.
If you have a pswd system...
Do:
Use upper case
Use lower case
Use numbers

Don't use special symbols -- some sites can't handle them.
Don't start with a number -- some sites require a letter first

Anyway, if anyone reading this has not heard of Security Now! podcast, I recommend that you check it out (Google is your friend). They have quite a few podcasts on password security. It's my favorite tech podcast.
#14.1.1 jase71ds on 2007-10-10 19:16 (Reply)
Amex was case insensitive, so upper/lower wont help. Oh well!
#14.1.1.1 Jon (Homepage) on 2007-10-12 00:07 (Reply)
Normally an attacker isn't attacking you specifically... he is attacking anyone that is vulnerable.

So typically an attacker would choose a common password... say "password1" then use that password whilst randomly trying different username combinations (i.e brute force the username rather than the password). That way the rate limit by username would not stop him... but of course the rate limit by IP would.
#15 db on 2007-10-02 01:35 (Reply)
if you log in 3 times incorrectly with the same user ID, you're locked out and must call. So on Amex, brute force WON'T WORK. And I'll forget if I user more than 8 characters.

Remember they've got millions of customers, including your aunt mildred who spends 2 hours with MSN every week because she forgets her hotmail account, and has all the time in the world to talk to customer service.
#16 fork on 2007-10-02 07:33 (Reply)
If they really do lock you out after 3 attempts, that's a change from how it used to be. I had changed my password once before there and forgotten which password I used. Took me over a dozen tries to work through all the passwords I typically use before I remembered the correct one, but I got logged in without a CSR intervening.
#16.1 Randy (Homepage) on 2007-10-12 08:13 (Reply)
Years ago, when I went to sign up for an eTrade account, passwords were limited to 6 characters case-sensitive alpha only. No numbers. No special characters. Nothing longer than 6 letters. Hey - at least it was case sensitive...
#17 Randy (Homepage) on 2007-10-11 14:22 (Reply)
I wasn't aware that AmEx was not case sensitive.

I guess, however, that an attack would have to come from multiple IP addresses -- and even at that, hopefully, their server would have the sense to lock the account. If so, I guess it's safe. But I do hate that it won't let me use my system (which is 10 characters) and then just truncate. I have too many logins to keep track of the maverick sites.
#18 jase71ds on 2007-10-13 03:51 (Reply)
password on digg does,'t allow any special characters
#19 Anonymous on 2008-05-13 18:47 (Reply)
I agree 100%

With symbols, all my passwords are unique and at least 15 characters in length. When a site is retarded and only accepts letters and numbers, I up it to 20.

When I found out about the 8 character American Express password limit; I cried. Seriously: this type of data requires my BEST password scheme, and they're making me use a password that's worse than my don't-give-a-shit spam email account's password. Sheesh.
#20 Michael Altfield (Homepage) on 2009-04-14 19:13 (Reply)
I totally agree. Most banks have all sorts of crazy requirements now. Pin #'s with pictures & sounds and phrases & a game of 20 questions - just to log on. Amex? Nope...
#20.1 Jon (Homepage) on 2009-04-14 21:24 (Reply)
I found that the US Bank online service for credit cards is NOT case sensitive at all. I told them about it in writing via email and how aghast I was after discovering this security risk (by accident). In their reply, they seemed not to care of my discovery at all! I have a couple of credit cards managed through US Bank and I don't want to close them out. So in the interim, I salted my password with a bunch of additional characters (&^#$-), etc.

I still am pissed about their lack of concern over this matter. This is the only site I've come across that deals with financial matters where passwords are NOT case sensitive.
#21 Tom McNeely on 2009-07-08 12:07 (Reply)
Wow... You are quite correct (just tested). How freaking stupid is that. There are a ton of useless websites where you _must_ have the standard 3 of 4 (lower alpha, upper alpha, symbols, numbers)... but yes so many financial institutions don't give a shit.

Seriously, why is my email more secure that my money?
#21.1 Jon (Homepage) on 2009-07-08 12:27 (Reply)
Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA

 
   
 

Amazon!

Twitter

@ShakataGaNai

    follow me on Twitter