Password Length Limits

April 7, 2010

I recently signed up to make my car payments online, which by itself is a wonderful thing. When I need to make a payment I simply double check that the money is in my bank account and then I’m a few clicks away from just making the payment. I really don’t enjoy using the postal system mostly because it takes time out of my day to write out the check, fill out the sending information on the envelope and then find a post office box or post office. The other great thing about online bill paying is that I get a lot less physical mail (something I strongly dislike unless it is a letter from a friend or something of that nature). This particular bill paying system (Ford Credit) has a notable limitation on the MAXIMUM length of a password, only 10 characters!

This upsets me for several reasons. The first reason is that all of my passwords are longer than 10 characters (some as long as 25). So, I have to truncate what would be an otherwise secure password in order to use my current password system. Either that, or Ford Credit needs to have its own password which makes it much less likely that I will remember it (though, I have to remember the limitation of it being a 10 character password already). It seems like the 10 character upper limit is fairly arbitrary. I understand that they might need an upper limit it terms of database storage or something, but I assume they run the password through a hashing algorithm in which case the length of the actual password should not be an issue. It is a simple mathematical fact that longer passwords are more secure (exponential growth, after all). So why limit the upper bound.

The other thing that crosses my mind is that their password maximum length squashes the idea of a “passphrase“. I understand that there is a fundamental difference between passwords and passphrases, but I tend to like the idea of a passphrase simply because I find them easier to remember. Yes, I know it’s more typing, but if I have to look up passwords in kwallet I’m already better off time-wise using a passphrase.

To be clear, this isn’t a knock on the actual service offered by Ford Credit. I find that quite easy to use. It is just that the password policy seems rather strange to me.

Reseting a Linux Password

November 22, 2008

While in the computer science lab today another student approached me with the following dilemma. They needed to do some programming over Thanksgiving break, but were not going to have Internet access to ssh into the lab machines. The student had installed Ubuntu on their laptop, but had forgotten the password because they had not used it in a while. They wanted to completely reinstall, but I said they would take quite a while when they could probably just reset the password. I offered to help and this sent me down an hour long journey to reset their password ๐Ÿ™‚ mainly because I had to keep getting more and more equipment from my dorm room.

My first attempt was simply to pop in a Linux boot CD and chroot into their existing installation. From there I figured I would be root and could simply passwd my way to victory. This failed because his CD ROM drive, which was in shambles, refused to load the boot CD. Not one to give up easily I resorted to pulling out his hard drive and hooking it up to a little device I have which converts a hard drive to a USB device. Since I have Linux on my laptop I figured I’d just chroot over to his setup and be done with it. Well… that didn’t work because he had a 64-bit machine and when the chroot tried to run his version of bash it failed miserably. This makes sense because I only have a 32-bit machine.

I wasn’t going to give up there either. The next step I took was to change the password on my system and copy the hash out of my /etc/shadow to his /etc/shadow. For those who don’t know /etc/shadow is where Linux stores it’s hashed passwords. The idea behind the hash is that it is sort ofย  a one way encryption. In theory it is impossible to reverse the hash and the only way to figure out what it belongs to would be to hash every possible combination of letters, numbers, punctuation, etc. This works great for passwords though because when validating a password you simply need to hash the users attempt and compare it with the hash of the real password. Since the hash for a given string always comes out the same you know it’s a match if the hashes match.

After a few attempts at typing in the hash correctly I was able to reset his password and we logged into his machine without any troubles ๐Ÿ™‚ .

I always love a good tech support challenge ๐Ÿ˜€

Pidgin’s Plaintext Passwords

August 11, 2008

This has actually bothered me for quite some time now (even back when pidgin was called GAIM). That is the simple fact that when you want to have pidgin save your login password it is saved: in an easy to access location, and in an unencrypted fashion. Here is the excerpt from my ~/.purple/accounts.xml file:


So I ask you, is this a good idea? Well I sure don’t think so. Yeah, you could argue that under the perfect scenario a person wouldn’t be able to view that file without the login information for the computer. However, how many times have you walked away from the computer and forgotten to lock the screen? It still happens to me from time to time, and I’m willing to bet it could happen to anyone. So, in less than a minute someone could have easily found that password in the config file.

The moral of the story here is that perhaps you shouldn’t have pidgin save your passwords. At least until they implement some level of encryption. Don’t get me wrong though, I love pidgin, and it is a great IM client ๐Ÿ™‚ .