It’s really careless programmer-slash-security things like this that piss me off. Have a look at the Bank of the Philippine Islands’ (BPI) personal internet banking login screen:
Although it’s not as restrictive as the one on BPI’s website, here’s the equivalent login service provided on Banco de Oro’s (BDO) website:
I can think of absolutely no use case where, as a software architect, programmer, what-have-you, I would want to limit the number or kind of characters a user can assign for a password. It’s an absolute no-no. It’s a Bad Thing™. It’s what your mother had been warning you not to do when you were a kid, right after those sermons against playing with fire and sharp objects.
But, limiting characters saves database space!
Point well taken, and honestly, that would make a lot of sense provided that we weren’t talking about passwords.
If this was any other kind of field (like a username, or an address input), limiting the characters a user can input may not just be helpful: it may well be essential. By controlling that amount of data anyone can save into any data field, we can control how fast the size of the underlying database bloats (because databases take up expensive hard drive space too, you know).
Passwords are an exception though. To start off, websites (or anyone for that matter) should not be storing your password in plain text.
It’s simple. No one but you should know your password. Not even the websites you use your passwords on. Ever wonder why (most) websites allow you to reset your password, but they don’t (can’t) give you your password when you forget it? Well, this is why.
But then, you’d ask: if websites don’t know my password, how do they know that I’m using the right password for my account then? Again, simple. They use what’s called a hash.
The thing is, websites can “hash” any piece of text, and it will generate an (ideally) constant string of text that looks randomized, and is hard to remember. Here are a few examples using SHA256 hashes:
// "password" 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 // "passworD" 9e78de733c6a51c0cc954c1d956d8929ad1310513e1042d81edc375219c6a2ef // "1234" 03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4 // "a" ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
This is what websites (should) use in checking if your password is correct. It stores the hash of your password in its database, so whenever you try to login (and provide a password), it hashes that, and compares the resulting hash to the hash it has in its database.
Why does that matter then? Well, one of the unique things about a hash is that no matter how long the original piece of text is, it always always always results in a hash of constant length (for example, the SHA256 hashes above are always 64 characters long).
So if you’re storing that in a database, you know that you’re always storing text that is 64 characters long no matter what the password is. What’s the sense of limiting my password to 12 characters then?
More importantly, what does that tell me?
Either BPI and BDO are unnecessarily making their users use passwords that are significantly less secure than possible, or they’re storing your passwords in plain text. I just hope it’s not the latter.
But 12 characters in a password is more than enough.
Again, point well taken. If you use numbers, lowercase and uppercase letters, and symbols in your password, a 12-character password will take a hacker years to break (only hours or even minutes if you only use letters!).
But then again, passwords like that look like
*HU9J67+0G3% and are generally hard to remember. This is exactly the reason why there has been debate about the usability of the passwords we use everyday.
Passwords, to make a long discussion short, are hard to remember. Passphrases (like
pleasedontmilkmycow, on the other hand, are more efficient on both security and human usability aspects. But to make use of them, I need more than just 12 characters. It’s a somewhat touchy topic, but hey, you’ve got to at least agree on the usability part.
Please don’t store my password.
Let me just take this opportunity to say it again: there’s absolutely no justification as to why you’d want to limit your users’ password length. As far as I’m concerned, if you limit the length of my password, I know you’re storing my password. And that, my friend, is a big no-no.Read More