Please, Stop Helping the Hackers Guess My Passwords
There have been numerous high profile hacking attempts (and successes) in recent months and years. In 2012 alone, millions of accounts' hashed passwords and other sensitive information was stolen across tens of different websites:
- Zappos: 24 million accounts' passwords and email addresses exposed
- Global Payments: 1.5 million credit card numbers exposed
- LinkedIn: 6.5 million hashed passwords stolen-- many of which weren't salted
- eHarmony: 1.5 million hashed passwords exposed
- Last.fm: Passwords compromised
- Yahoo: 450,000 passwords leaked-- in plain text
By now, I'm sure you get the point-- your information is never safe. When you input your credit card number or password into to a website, you're trusting they've taken the necessary precautions to safeguard this data. The reality is, there's a lot of business that do not implement decent security practices.
In fact, the worst offenders not only store your password insecurely, but they prevent you from protecting yourself properly. In the event of a leak in which password hashes are made public, having an extremely secure password is the only way to keep yourself protected. A secure password can be composed of random letters, numbers, symbols, or even a long sentence that you remember. The issue is, not all sites let you use these kinds of secure passwords.
Consider this gem:
I appreciate the suggestion, but I don't think you're qualified to give me advice on how to use a secure password when you're not allowing me to use a password over 30 characters or have spaces.
There's a notorious XKCD comic that advises a user to come up with a string of random, memorable words and produce a short sentence to use as a password. On this site, your "correct horse battery staple" may be allowed, but you're bumping up against the limit. What if you wanted to use a slightly longer combination of words?
Fine, 30 characters is long enough for some social network or some non-critical service, but what if I'm selling goods on Ribbon?
Great. Another password length limitation. It's slightly more critical to have a secure password in this case-- after all, we're dealing with money. I wouldn't want someone to gain access to my account and redirect sales to their own PayPal account.
Speaking of PayPal, let's check out their password policies.
Wonderful. So, a service that is specifically built to handle money, is connected to bank accounts, credit cards, my address, and other personal information, has a maximum password length of 20 characters. At least they advise to use symbols.
Even banks aren't immune to enforcing ridiculous rules.
In fact, Bank of America is one of the worst offenders. They have a maximum password length of 20 characters, and require your password to be devoid of spaces and most special characters. It's like they want my password to be easily guessable in the event of a data breach.
The Good
Fortunately, there are a couple of services out there that are actually helping in the area of security.
Wordpress.com is a great example of this. They not only accept long passwords of 50 characters or more with symbols, numbers, and mixed case letters, but they actually provide a 1-click password generator that incorporates all of these.
There are also plenty of apps that generate random passwords (and secure them as well). 1Password, LastPass (though there was an attempted hack against LastPass in 2011), and others are great examples of this. Personally, I use 1Password on both my Mac and iPhone, and it works great. Not only are my passwords random, but they are different for every website. If one website is compromised, there's no chance of the hacker being able to use that same password to gain access to other services.
What Needs to be Done
Developers need to educated in security. It's like a disease and public health-- if everyone were educated in the dangers of improper security, there would be fewer problems in the area. While data breaches will still occur, especially due to social engineering and other tactics that take advantage of human nature, a combination of proper salting and hashing, secure passwords, and two factor authentication will make large scale data breaches less dangerous.
Methods of security like two factor authentication may take some effort to implement, but there is one easy thing every developer can do:
Remove that stupid, arbitrary limition on your registration form and let me use whatever password I want. After all, you aren't storing my password in it's raw form, so length shouldn't matter for your VARCHAR(30)
database field, right?