Reply To: 12 Aug 17 – Password guru regrets past advice
Just this past week I ran into a site (for a nationally known company)
Hmmm…(just sayin’) this isn’t OTA where the radio station would be worried about the sales department, y’know, giving free advertising (mention) to someone…or in the case of WGMC (public broadcasting), an outright ad. C’mon, you can name them 🙂
that requires a password to be between 6 and 12 characters, consisting only of letters and numbers.
That is unfortunately fairly typical. The credit union at which I’m a member subcontracts out itsme247.com for their “online banking” service. I don’t know what their min is, but their max is 12. There is the twist of a very limited challenge/response, in that (ahead of time) you fill out the responses to three questions, and the login page chooses one of these three. But since this messes with KeePass, I simply made the answer the same for all three challenges (and surprisingly, they do not check for this).
And this same company would not recognize any email address as being valid if it contained any capitalized letters. Everything (username and domain name) had to be lower case.
That is in direct violation of the email RFCs, including the most recent one I know of, RFC 5321 (section 2.3.11 where it says “Consequently, and due to a long history of problems when intermediate hosts have attempted to optimize transport by modifying them, the local-part MUST be interpreted and assigned semantics only by the host specified in the domain part of the address.” (emphasis mine)). It drives me nuts that many companies can’t seem to read these. The aforementioned Western Division also did not seem to understand when I explained to them that their email server must identify itself (HELO or EHLO) as a resolvable name (ibid. sect. 2.3.5)
Simply locking someone out for a few minutes after 3 wrong guesses of a password would end the dictionary attack method.
That’s the primary concern, but then the other concern is if the host where it is store is compromised, and the password database (even if hashed, see this Computerphile video on YouTube about trying millions of hashes per second with 4 high end GPU cards) is exfiltrated. So there is more than the threat posed by someone just trying to brute force their way in, or with a dictionary attack.