We use (and sometimes reuse, although we shouldn’t) passwords on the web every day. There has been so much talk about password security lately that the least we should expect is that the big sites have proper passwords policies. I will single out two of them here:
- digg.com – I’ve tried to register with them a couple of times, but was deterred by the following message:
Sorry – only the characters a-z, A-Z and 0-9 are allowed in passwords. This makes me think that they store their passwords in cleartext in the database or something, because I see no other reason for this arbitrary restriction.
- blogger.com – Yes, the very service I’m using now. When I’ve registered yesterday I used the usual password generation algorithm an generated a long password with special symbols. Everything went fine, until the next day (today) when I tried to login. So I used the password reminder feature and learnt that the maximum password length was 20 (I used a password longer than that). This again leads me to believe that my passwords are stored in a database field in the cleartext (which probably has a size of 20 characters).
What I would like to ask the web developers:
- Only store the hashes, or better yet the salted hashes of my password
- Allow me to choose an arbitrary password with arbitrary characters (or if you want to limit for practical reasons use sensible limits like 255 ASCII – the original 7 bit ASCII – characters). If you store hashes the real length of the passwords has no effect on the data you have to store (it will be the same every time).
- If you have a limit, specify this and use the correct HTML attributes to signal this to the browser (like maxlength for the input elements)
- Update: As a commenter pointed out, you should transmit the password through HTTPS / SSL. For this it is enough if the target of the form is encrypted, the page the form resides on musn’t be encrypted and you are 100% secure (from a packet sniffing point of view), still it probably gives a good feel to users if the main page is also served over HTTPS (and probably it’s not that big a performance hit, especially with persistent connections. However remember that no encryption will protect you from spyware which installs itself directly into your browser (as a BHO for example).
Update: Please note that I don’t know whether they store my password as cleartext, as hash or salted hash. There might well be other (historical, security) reasons for the problems I’ve mentioned. I’ve personally used the password reminder feature of Blogger, and they’ve sent me a link using which I’ve could change my password – so I have no evidence regarding the method they use to store passwords, and I’ve never used this feature on digg. But my point was that they are limiting my security (or improving it, if you consider impossibility to log in an improvement :-)) by a choice which has no well founded reason.
Update #2: Blogger is now offering the posibility to log in with your google account (just go to beta.blogger.com) which is not subject to the restrictions mentioned above.