Friday, August 30, 2013

American Express

American Express, your password policies are shitty.


  • Limited to 20 characters.
  • No spaces
  • Only allow "%,&, _, ?, #, =, -" as "special characters"
  • NOT CASE SENSITIVE? ARE YOU FUCKING SERIOUS?
  • Seriously.  Not being case sensitive is really fucking awesomely retarded.
I think the "not case sensitive" thing deserves a tad of discussion. Not having case sensitive makes it MUCH EASIER for someone to guess passwords, because they automatically know that caps dont matter.  That can as much as half the bits of entropy.  It eliminates the extra bits you'd get for having a number and/or one of the 7 special characters they "allow" you to have.
Posted by at No comments:

Nationstar Mortgage

Nationstar Mortgage, your password policies are BEYOND shitty.


  • Your error message for passwords that don't meet your standard is:
    "your password must be between 6 and 20 characters"

    You will get this message if your password is 5 characters, or 21 characters, or isn't "complex enough"
  • You limit a password to 20 characters.
  • You enforce complexity, but nowhere do you document the requirements.
Posted by at No comments:

What is considered a GOOD password policy?

Diceware.

XKCD/936:

My perfect password policy?  It's what I use on machines I build professionally.

7 char minimum.
7-14 char passwords enforce complexity. (at least one capital letter, one number, one special)
15+: no complexity enforced.  This allows Diceware or XKCD/936 style passphrases.

Some common stupid password policies, and why they are stupid:

  • No spaces.  There's zero reason for this, other than laziness.
  • Artificial limit on string length, especially when that limit is less than, say, 50 or so.
  • Enforcing complexity, but not allowing certain characters.
  • Not giving the rules ahead of time: making us guess when our passwords fail.
Posted by at No comments:

Paypal.

Paypal's password policies are shitty.


  • NO spaces.
  • NOspecial characters (they refuse to define special characters, though.)
  • must be between 6 and 20 characters.
  • refuses to allow ANY dictionary words (so diceware passphrases wont work.)
  • They do not tell you their password policy until you get it wrong.
  • They deny you the ability to paste passwords from a password manager.
Posted by at No comments:
Subscribe to: Comments (Atom)