Password Length Limits

I recently signed up to make my car payments online, which by itself is a wonderful thing. When I need to make a payment I simply double check that the money is in my bank account and then I’m a few clicks away from just making the payment. I really don’t enjoy using the postal system mostly because it takes time out of my day to write out the check, fill out the sending information on the envelope and then find a post office box or post office. The other great thing about online bill paying is that I get a lot less physical mail (something I strongly dislike unless it is a letter from a friend or something of that nature). This particular bill paying system (Ford Credit) has a notable limitation on the MAXIMUM length of a password, only 10 characters!

This upsets me for several reasons. The first reason is that all of my passwords are longer than 10 characters (some as long as 25). So, I have to truncate what would be an otherwise secure password in order to use my current password system. Either that, or Ford Credit needs to have its own password which makes it much less likely that I will remember it (though, I have to remember the limitation of it being a 10 character password already). It seems like the 10 character upper limit is fairly arbitrary. I understand that they might need an upper limit it terms of database storage or something, but I assume they run the password through a hashing algorithm in which case the length of the actual password should not be an issue. It is a simple mathematical fact that longer passwords are more secure (exponential growth, after all). So why limit the upper bound.

The other thing that crosses my mind is that their password maximum length squashes the idea of a “passphrase“. I understand that there is a fundamental difference between passwords and passphrases, but I tend to like the idea of a passphrase simply because I find them easier to remember. Yes, I know it’s more typing, but if I have to look up passwords in kwallet I’m already better off time-wise using a passphrase.

To be clear, this isn’t a knock on the actual service offered by Ford Credit. I find that quite easy to use. It is just that the password policy seems rather strange to me.