Why do so many websites fail with password restrictions?
All too often when registering at a site I'll get prompted with a message along the lines of: "Password must be between 6 and 12 characters long and cannot contain special characters." The second I see that a little warning goes off in my head that they are probably storing the password as plain-text in their database or that at least they aren't hashing it. The only other time I get so worried about website password security is when they actually send me my password in an email after registration.
The bottom-line is that there should never be a case where there are password limitations such as special characters or maximum length. Why should you care if I decide to have a dollar sign, ampersand, or apostrophe in my password? Why is that considered bad? I mean, as long as you are hashing it (like you should be), it doesn't matter, right?
Same goes for password length. Since the hashes produced are a constant length, saying that the password would take up too much space in the database is an invalid argument. If I want my password to be the first sentence of my 6th grade report on Leif Erickson, then I should be able to. It's all about being able to remember and there exist plenty of pass-phrases that'd be easier to remember than any 8-character long password.
What about potential DoS attack with using a really long password? That is almost a valid reason for length restriction since hashing algorithms can be quite intensive on larger bodies of text, but how difficult can it be to spot and block those users with malicious intent?
What password verification should look like
No character limitation. No maximum length limitation. What's really left?
def is_valid_password(password, min_length=6): return len(password) >= min_length
Indeed, the only check that should be required is a minimum length. And even that's a stretch. Beyond being sure that the password isn't easily guessable, I see no reason for password restrictions in a world of fixed-length hashing.
Ashish wrote,
Some websites do have such restrictions like limited allowed characters, case-insensitive etc because you might need to enter you password using phones. Sure if all you ever do is enter the passwords in the websites login page having such restriction is silly.
Court wrote,
I generally agree with you (although I am totally fine with a max length cap of a few hundred characters). I would like to point out that the American Express credit card login caps at 8 characters. An international financial institution thinks eight characters is the absolute maximum length needed to secure someone's private information.
Chris wrote,
I think some of these restrictions are there to make the password harder to guess in with a brute force attack. It at least forces people not to use dictionary words.
Evan wrote,
Chris,
I'm talking about restrictions on what you CAN enter, not what you MUST enter. There's a difference between character requirements and character restrictions.
Darryl E. Clarke | Password Restrictions are Bad wrote,
[...] This guy's got the idea too. I'm actually surprised there aren't more complaints like this. His search query to google reveals a lot of fun things with password restrictions. [...]
Peter Hickman wrote,
It depends on where you are. I can enter a euro symbol as part of my password because I have a european keyboard then when I go to America I will probably not be able to enter my password on a US keyboard. So limiting you to those characters that you probably enter from any keyboard in the world, remember its not just finding it on the keyboard its also the encoding, then it would be a good thing.
I'm not saying that this is the reason why, but it sounds good :)
Stephen P. Schaefer wrote,
The actual reason is simple: too many programmers are incapable of guaranteeing that their data won't get evaluated at some point, e.g., in a regular expression match. I've seen code like (perl)
$test=qr/something $password something/;
if (grep { /$test/; } @bad_passwords) { … }
What if $password was (?{`rm -rf /`})
(If this site goes down after this comment, I'll know why…>:-})
It's not just perl. I could pull that stunt in nearly any language.
They're not sure of their own code and they don't trust their libraries. Of course that means that their code and their libraries are incompetent, but that's not so unusual.