Password Limitations

handsofqwerty

So many years ago, I remember and understand how there were limitations on passwords. They couldn't be longer than a certain character length, couldn't have certain characters, etc. Well, the year is now 2015 and I can't understand why some companies choose to use legacy systems or methods, because I can see no other reason for why I just got these while trying to sign up for a TWC account (Verizon FiOS isn't available at my new place... :'()

I use LastPass to randomly generate almost all my passwords, and was just shocked by this...am I alone in thinking this is just ludicrous?

MattSpeller

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

handsofqwerty

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

A Former User

Seems most banks using Netteller limit you to like a 10 character password.

scottalanmiller

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

It's because they are likely connecting that over telnet to a legacy big iron UNIX system.

And no, not being facetious at all.

A Former User

@scottalanmiller said:

It's because they are likely connecting that over telnet to a legacy big iron UNIX system.

And no, not being facetious at all.

Um Telnet?? I'd switch banks..

scottalanmiller

@thecreativeone91 said:

@scottalanmiller said:

It's because they are likely connecting that over telnet to a legacy big iron UNIX system.

And no, not being facetious at all.

Um Telnet?? I'd switch banks..

Most of the systems that have that limitation don't have SSH. This is sadly incredibly common in big banking.

scottalanmiller

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

A Former User

@scottalanmiller said:

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

Was.. That's been removed for a good while. They supposedly did it some people wouldn't write it down. Most banks I've been around use Jack-Henry stuff on IBM Power systems. Granted I've only done stuff for credit unions.

scottalanmiller

@thecreativeone91 said:

@scottalanmiller said:

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

Was.. That's been removed for a good while. They supposedly did it some people wouldn't write it down. Most banks I've been around use Jack-Henry stuff on IBM Power systems. Granted I've only done stuff for credit unions.

It's not been long since I was in banking and there were loads of those still around. Loads. And every bank that I know had the same issues, it wasn't unique. And it takes many, many years to phase out old systems. Considering key systems were still running gear and OSes from 1996, switching soon isn't something that happens.

A Former User

@scottalanmiller said:

@thecreativeone91 said:

@scottalanmiller said:

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

Was.. That's been removed for a good while. They supposedly did it some people wouldn't write it down. Most banks I've been around use Jack-Henry stuff on IBM Power systems. Granted I've only done stuff for credit unions.

It's not been long since I was in banking and there were loads of those still around. Loads. And every bank that I know had the same issues, it wasn't unique. And it takes many, many years to phase out old systems. Considering key systems were still running gear and OSes from 1996, switching soon isn't something that happens.

Yeah but that's just because they didn't update the OSes. System V was around until 2004-2006. Seems like they should move to Solaris if they want to keep in Unix systems.

scottalanmiller

@thecreativeone91 said:

@scottalanmiller said:

@thecreativeone91 said:

@scottalanmiller said:

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

Was.. That's been removed for a good while. They supposedly did it some people wouldn't write it down. Most banks I've been around use Jack-Henry stuff on IBM Power systems. Granted I've only done stuff for credit unions.

It's not been long since I was in banking and there were loads of those still around. Loads. And every bank that I know had the same issues, it wasn't unique. And it takes many, many years to phase out old systems. Considering key systems were still running gear and OSes from 1996, switching soon isn't something that happens.

Yeah but that's just because they didn't update the OSes. System V was around until 2004-2006. Seems like they should move to Solaris if they want to keep in Unix systems.

Often they cannot because they run hardware that is decades old and does not support anything remotely new.

scottalanmiller

@thecreativeone91 said:

Seems like they should move to Solaris if they want to keep in Unix systems.

That's the most common culprit. Solaris 2.4 is still rampant in the banking world.

Nic

this guide should help:

MattSpeller

@Nic I was going to say there's no amount of Webroot that'll help this but then you posted a good pic and now I feel bad for teasing you.

Nic

@MattSpeller said:

@Nic I was going to say there's no amount of Webroot that'll help this but then you posted a good pic and now I feel bad for teasing you.

That's ok, I'm happy to be teased anytime

handsofqwerty

@Nic said:

@MattSpeller said:

@Nic I was going to say there's no amount of Webroot that'll help this but then you posted a good pic and now I feel bad for teasing you.

That's ok, I'm happy to be teased anytime

That could have multiple meanings...just saying...

tonyshowoff

A lot of places restrict the allowed characters because they're morons who don't understand SQL injection and think it's a way to avoid it. Ideally any character should be allowed that can be transferred over HTTP without breaking the hell out of things, which is everything which can be properly encoded.

I do trim passwords though, something old school jackasses think is bad, because after all, if there's a space at the beginning or end of a password, or a newline/return character, it must be on purpose, despite the fact that 99.9999999999% of the time it's because someone copy/pasted the password from an email or something and accidentally added on the space/\r/\n. Of course you can make the argument of never sending a password in an email (and we don't), but tell that to users who will do it all day long.

I also wrote a method to deal with "easy" passwords, things like repeating words, pattern recognition for phone numbers, birthdates, etc.