Website Password Length: Examples in Bad Design
Just today I encountered one of my pet peeves of the Internet. No, not creating yet another account to keep up with, but blindly trying to figure out the architecture and design of password creation and storage of a website. Today it happened with http://www.sqlpass.org/ (come one guys, YOU of all people should know better), but it has happened to me on other "big name" sites like http://crucial.com.
First a little background on my password creation process. I - like so many of you - have countless accounts out there on the web. Each of those accounts requires a password. There are several methods of password generation
that one can use. They are (worst to best):
- Easy to remember password
ex: dictionary word, the name of you/family member/pet, etc. Bad, bad, bad!
- All your eggs in one basket
(AKA Lord of the Rings - "One password to rule them all"). If the password is "good", this will get you by for a while, but even the mighty Smaug fell to a strike in its one weak spot.
- Variation on a Theme
Similar to above, but with some small variant (ex: appending characters) to it to make it different. While this is better than #2, a hack of one site still exposes your core/base password
- [pseudo-]random password
A truly unique password for each site. No correlation to passwords on any other site.
A few years ago I wised up and opted for the last one. How do I remember all the passwords? Simple; I don't. I only know a handful of my passwords. The rest are absolutely unknown to me. I use a great little FOSS tool called KeePass (http://keepass.info
) to keep all of my passwords in a single secure file. (Note: due to the valuable nature of this file, I keep multiple backups in multiple physical locations.)
One of the great things about using a tool like KeePass
is that it can generate passwords for you quite easily. Another benefit is that since I always copy/paste my passwords, a long password is no more inconvenient than a short password. Knowing this why not use a long password - like 30 characters? The longer the better right? Right; until you encounter sites designed by architects that are one (or more) of the following:
What I have discovered with these sites (and I'm sure many more are guilty as well) is that they have a secret maximum length for the password field. When you create an account they secretly/blindly/unknowingly truncate your nice beautifully long 30 character password to something shorter - like 20 or 16 characters.
Then when I go to login, I paste the password I just pasted 30 seconds earlier and then BAM! Your username or password is incorrect.
What!?! I just pasted this password not 30 seconds ago. I know
it's the correct password. So I click on the "Forgot Password" link and they email me my password (more on this later).
When, what to my wondering eyes should appear,
but a miniature password - not mine I fear.
With a little old password, so small and slick,
I knew in a moment, it must be a trick
My "password" they tell me - is the first 20 characters of my 30 character password. Their account creation page truncated it, but the login page didn't!
The Bad Design
- The first part of the bad design is that they could email my password to me. They shouldn't store my password in a way that they could email it to me.
- The second poor design is that they account creation page is inconsistent with the login page.
- The final bad design is that they had a maximum password length to begin with which was compounded by the fact that the maximum length is unknown.
A Better Way
To all of you web designers and architects who create the requirements for websites, I emplore you to adhere to the following:
- Don't store the actual passwords, but rather a salted hash like MD5. This way it will be very secure, and you will have a practically unlimited B with only the cost of a 32 character field. If you absolutely must know the passwords (ex: for integrating with other systems) be sure that it is at least encrypted in the database with a well-respected symmetric algorithm such as Twofish, Serpent or AES.
- Don't have a maximum password length.
- If you must have a maximum password length (though I can't imagine why) at least make it both known and long - like 255.
Now I'm not equating "ignorance" to "stupidity", but rather using the term to mean unaware. I'm ignorant of the intricacies of quatnum physics, but I don't consider myself stupid.
limited only by the post size of your web server. At least 2KB. I have observed up to 98KB.