8 Character Password Limit A Mistake?

[joeypesci]

So, went to buy some Premium Bonds the other day from NS&I http://www.nsandi.com/ and had to sign up. I stopped, why? Because their password limit is only 8 characters long! WTF? I needs to be letters, numbers and special characters however, surely 8 character limit is WAY to short, especially for such a big financial site? Mentioned to Digininja who suggested it's probably to keep support calls down and I think he's right. I e-mailed them warning of the danger but got this fobbed off reply:

First of all, we do appreciate your feedback so thank you for taking the time and trouble to contact us about this.

When selecting our password format we did take independent advice on the best password solution for our customers. The recommendation was that the password was greater than 7 characters containing a mixture of upper and lower case letters, number and keyboard symbols recognising that there are certain keyboard symbols that would not be advisable to use. Our decision was to take that advice and we selected a password length of 8, as the optimum balance between security and usability.

I forwarded the points you raised regarding salting and hashing to our website's technical manager. He replied that as an IT engineer, you will understand that we can't give any specific answer regarding those points.

He also said you can be reassured that the password is just one layer in a multi-layered security system, and we ask customers to provide additional security details which we use to secure access to their accounts.

I am sure you will also realise that we undertake regular audits both internally and externally to identify any weaknesses or improvements that can be made. Security is paramount to NS&I and it is an area in which we will not compromise.

Kind regards

Carol Parkinson

Customer Service Team

NS&I Blackpool

If replying please leave original text

Please note that I may have deleted some information from your email as emails are not a secure form of communication

The last "Please note" bit is ironic because she left my e-mail address, my full name and my address in the e-mail. So what was this "Deleted some information" then?

Seems companies like this won't listen until someone breaks in. Sony didn't until it all went tits up.

My question is, not being an expert, I'm am write about the 8 character limit being seriously insecure?

Worst still is the National Lottery site limits to 12 characters, numbers and letters only and NO special characters aloud. Their reply to me was essentially "we're secure, f*** off". That was about a year ago. Recently sent another e-mail pointing out the issue again. They haven't even bothered replying this time.

[hexophrenic]

8 characters, with siufficient keyspace (you mention alphanumeric + special), should protect your information sufficiently. The time required to bruteforce 8 characters is still likely prohibitive (ie, still measures in years). If you are uncomfortable, change it daily/weekly/monthly/whatever. However, you are still trusting a third party to protect your password, which is the bigger risk than strength of password. IMHO, the bigger issue with passwords than bruteforcing a website would be SQL injection and retrieving said passwords from plaintext or to find out the encoding/encryption used was weak. Much quicker than brute forcing. All that being said, I am hopeful as legacy systems are replaced that companies are looking to support much longer passphrases.

[joeypesci]

My thought was could you not do the following:

Having messed about with GPU HASH cracking I'm amazed how quick it is. So wouldn't it be possible to do a man in the middle attack on a WIFI network, get the login for this site and does sslstrip give you the HASH? If that is just a HASH and they haven't bothered to salt it, surely with GPU HASH cracking, left with a PC running all the time, isn't going to take it not to crack that HASH and password. As limiting it to 8 characters would make it easier. As there are going to be people out there that will make their 8 char combo easy to remember.

I could be wrong.

[Sparda]

The thing that is most scary about a short password limit: It probably means your password is been stored in plain text.

[hexophrenic]

My thought was could you not do the following:

Having messed about with GPU HASH cracking I'm amazed how quick it is. So wouldn't it be possible to do a man in the middle attack on a WIFI network, get the login for this site and does sslstrip give you the HASH? If that is just a HASH and they haven't bothered to salt it, surely with GPU HASH cracking, left with a PC running all the time, isn't going to take it not to crack that HASH and password. As limiting it to 8 characters would make it easier. As there are going to be people out there that will make their 8 char combo easy to remember.

I could be wrong.

If you are using WPA2 with a strong passphrase you shouldn't worry so much about a man in the middle attack of the AP, IMHO. But what you are describing would be a fairly targeted attack, which means most of the common defenses would not hold up given a skilled attacker. Again, if I were trying to capture the records, I would probably try to do so closer to the source as I can get far more accounts than just attacking yours. All things being equal, you are right. But in a practical sense, I would not lose any sleep over it.

As I stated before and was mentioned again by Sparda, I would be far more concerned with how THEY are protecting my password in THEIR system.

[Infiltrator]

Yeah I know their password policy sucks and you are not the only one facing this dilemma. I recently opened up an E-trade account and after a few days I forgot my trading password. Called the bank help desk and one of their operators told me no to use special characters ($^$%@*#) but letters and numbers. I was like what the FFF.

[joeypesci]

The National Lottery have ignored me totally this time. Went on WilliamHill the other day, that's just as bad. It's shocking that all these places that deal with money are using piss poor password policies. Yet, the hosting company that host my site Ariotek (based in Scotland) use HTTPS for their whole site on everything, even their forum and they seem more secure than some of these financial institutes.