Why are we still limiting password characters?

It’s 2013 – why are web sites and companies forcing us into archaic password management structures?

At my institution, we recently updated our purchasing card reporting system, run by a major, major big time bank. You would think that they would take password security very seriously, especially given the nature of this site and the type of information stored within it. You’d be wrong.

When I was setting up my account in this system, imagine my surprise to find this as the requirements for a password on the new platform.

Screen Shot 2013-06-17 at 9.40.52 AM

So let me get this right – between 6 and 8 characters, and no special characters? They’re either storing their passwords in plain text or they have some ancient legacy systems they don’t want to spend the money on to update.

In today’s age of GPU’s that can crack billions of passwords in minutes, there is no reason whatsoever to limit what characters are used as a password. These sites should be automatically hashing the passwords anyway, preferably using a slow hashing format like bcrypt.

I worry about password security, and feel good when a site or software I use takes it seriously. Take a look at WordPress, a platform I use every day, it uses the PHPass framework, which uses bcrypt, as the default setup in WordPress.

The only way I’d feel slightly better about this type of password rules is if a site also required a two-factor authentication, either with an app like Google Authenticator, a text message with a 1-use code, or some sort of keygen device. I wrote about using Google’s product in conjunction with WordPress a few months ago.