Why did customer services say using symbols in a password is insecure?

Question

I am using an online service that I recently had to reset my password because I forgot it. When I went to change password I wanted to use one with a symbol !@£$%^&*(). When I clicked "confirm password" it displayed "_Invaid Data" to me which I eventually found is because of the symbol. I then spoke to customer services and told them about this (as well as to replace "_Invalid Data" with "Passwords can only contain letters and numbers") and they replied back saying "Sorry, the guidelines we put in is place is for security measures". (This is what the message sounded like to me)

The question is why did they say that its insecure to allow symbols in passwords when symbols make it safer?

To make sure they have better security in the future I did educate them and said that if you have a 8 character long password with letters and numbers only, it would allow for 36^8=2,821,109,907,456 combinations where as including the 12 symbols(!@£$%^&*()_+), it would allow for 48^8=28,179,280,429,056 characters long, meaning there is an extra 25,358,170,521,600 combinations and they are now forwarding this information onto their manager.

Answer 1

These 'security measures' aren't for your security, but for theirs.

Symbols like hyphens, apostrophes, percent signs, asterisks, slashes, periods, etc. are useful to attackers for performing "injection" attacks, like SQL Injection, XPath Injection, file path injection, etc. By blocking those characters, the site owners hope that they are preventing you from attacking their servers.

They should probably be focused more on proper data handling, like internally using parameterized SQL and special character escaping, but this is an additional measure that could help serve as a stopgap in case they have a hidden coding error in their site.

---

I can't definitively answer 'why' they did this. Maybe they had a security auditor who said "use a whitelisted character set for user input, and block any non alphanumeric symbols." Maybe the web package they bought came with that restriction. Maybe their Vice President of Security said "add some visible measures that give our customers the impression that we take security seriously." Who knows why?

Answer 2

The question is why did they say that its insecure to allow symbols in passwords when symbols make it safer?

More than likely you were dealing with someone in customer service that has no clue as to why certain rules were put in place and has come to the conclusion, either through using this excuse in the past and having results or making it up in their head, that this will make the person they are dealing with not question and just do.

Your explanation is right about the complexity of a password becoming greatly more secure by adding in symbols as well as letters, upper and lower case, and numbers.

I would write this off as either an untrained customer service agent just trying to make the job easier or this person knows the policy is flawed and just wants to make this conversation as short as possible.

Answer 3

Because they're probably using input sanitation instead of parameterized queries and output sanitation.

If they had parameterized queries, this would not be a problem. If they knew how to sanitize their output, this would not be a problem.

More than likely, their code is vulnerable to a lot of other things, such as unicode-based smuggling. To many "secure developers," input sanitation is simply stripping apostrophes from input, which is an incredibly terrible approach.

This will not protect against unicode-based smuggling, and will interfere with legitimate purposes for apostrophes in a database, such as people's names. Imagine trying to search for someone's last name in a database, but you can't because there's an apostrophe. That's dumb.

The correct solution is as follows: input validation (null > length > format > whitelist) ** > **parameterized queries > output sanitation (to avoid XSS), which they are likely not following. There is no legitimate reason to exclude proper data.

Answer 4

Agree with your analysis that allowing symbols allows for more security, but generally it's not that much. Especially when compared to going to slightly-longer passwords (assuming the password is completely randomly chosen symbols). Using any of the 95 printable ascii characters:

0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|} ~

(a few more if you count characters like tab or linebreak as printable) an 8-character password has 95^8 ~ 6.6 x 10^15 possibilities, while with only (case-sensitive) letters and numbers an 8 character password has 62^8 ~ 2.2 x 10^14 which is about 30 times weaker.

However, a 9-character password with just numbers+lowercase+uppercase is two times stronger than an 8-character password allowing special characters. Thus, unless there are hard limits on the length of a password (and really there never need to be at least for passwords less than a few hundred characters), it is easy to move to slightly longer passwords even with a limited character set.

The biggest potential security concerns is if they believe allowing special characters in passwords could cause problems in their application or database. There is a legitimate reason to exclude non-printable ASCII characters (e.g., ASCII control characters NUL (\0), backspace (\b), etc.) that could cause problems, but well-designed applications should be able to handle regular special characters like ' or - without being vulnerable to injection attacks. An application should be able to handle these types of characters as they appear for example in names with quotes or hyphens in them (e.g., Conan O'Brien, Daniel Day-Lewis). Furthermore, as passwords shouldn't be saved to the database or ever given back to the user and just immediately hashed, allowing printable ASCII special characters shouldn't matter.

Granted there are some usability concerns with non-ASCII special characters like unicode, and for usability concerns it may be a good idea to either forbid these characters or normalize them in a standard way. Hash functions typically expect a string of bytes, and passwords with special characters beyond ASCII can be encoded in different ways at the byte level (e.g., UTF-8, UTF-7, UTF-16, ISO-8859-1). Furthermore, besides different encodings (which you could keep consistent at the application level), you also have to worry about identical looking letters having different values in unicode. For example the following character Å is unicode 00C5, but this identically looking character is Å unicode 212B while this Å is actually two characters -- an ascii A with a combining character of unicode 030a adding a circle over the A.

EDIT:I just noticed you listed £ as one of your common symbol. Unfortunately that's not a standard ASCII symbol. In ISO-Latin-1, it's the byte A3. In UTF-8 it's the two bytes C2 A3. In UTF-7 it's the ASCII characters +AKM-. In UTF-16 it's 00 A3. These different encodings mean that your hash function may break on this character if it's not handled properly. Granted, the application should be able to handle encoding properly, but it could fail on some subset of devices. Furthermore, the character may not be available on foreign keyboards.

There also may be usability issues with characters like ' or " that in some applications/platforms may be converted to smart quotes ‘’“” (though this should never be done in a password context).

Finally, there's one additional rational for having unique password rules -- make it harder for users to have one remembered password that is re-used everywhere, which is a horrific security practice. If the user's "normal" password doesn't meet one site's unique rules, then when their normal password is compromised on some random other site (that say stores the password in plaintext), their account isn't compromised at the site with the unique rules.

Answer 5

A bit long fetched but…

Say, John’s mother gets given a IPad for Christmas, she then decided to log into her bank using it (rather than her laptop), but can’t work out how to “type” the symbol on the IPad. So she asks someone to show her how to type her password…..

Now think about the support issues with customers having passwords they don’t know how to “type” on their phones or tablets. Lot of support calls asking for passwords to be reset is an security issue as well as a cost issue.

Answer 6

Some of the symbols may not be available on all keyboard layouts you interact with. That would prevent you from logging in. This would be a problem for availability, not for security.

But this could become a slight problem of security if the symbol in question were available on an unfamiliar keyboard layout you are working with, but not in a familiar position. In that case, you might have to find out the right key before typing it into the password field. And (particularly in the absence of matching keycaps) you could conceivably type symbols into some editor until the symbol you search for appears. When you stop there, people who get a glance at your editor (while you type or later on because you forgot to close it) will know at least one of the symbols contained in your password.

I have to agree with Eddie Studer's answer: even though there is a far-fetched security implication, chances are that the person telling you about this had no clue as to the real reason behind that policy. It might however have been the availability problem I mentioned up front, of users not being able to log in e.g. from internet cafes in foreign countries. Just to provide one alternative to the injection concerns voiced by most other answers, even though those still are a very likely reason.

Answer 7

Most people can't type symbols without slowing down and pressing multiple keys at once, so there is a small decrease in security if you're trying to type where you might be observed by a human.

Answer 8

Your argument is:
1. a randomly generated password with symbols is stronger than a randomly generated password of the same length with just letters and numbers
2. therefore allowing symbols in passwords make them stronger.

This is valid if and only if people generate passwords randomly.
Let's however compare a password created with the following algorithm:
1. create a password of maximum length - 1 with numbers and letters
2. stick a symbol at the end

Assuming that the number of symbols is less than the number of letters and numbers, this will yield a weaker password than a random password of just letters and numbers, plus provide a false sense of security (`I set it to password$, not password!). Similar arguments can be made for generating passwords by replacing letters with symbols etc.

So one might decide that they'd disallow symbols, in hope that people will choose to use a random/longer password instead of pa$$word. Of course, this "hurts" the users that want to use random passwords with letters + numbers + symbols. But you'd expect that those users will be sufficiently educated to simply add a few more characters, resulting in a password of equivalent strength (assuming you are not limiting the length).

All in all, just because including symbols in some passwords increases their strength, it doesn't follow that allowing people to use symbols will increase the strength of the average password.

Answer 9

Alternatively to their own security, imagine that you have to remember password containing upper and lowercase letters, digits and special characters, most of people going for them would write that password on a piece of paper, possibly together with their login, that would be considered high security risk
And if you use simpler password that you can remember there is much lower chance of it leaking from you
Of course this way they block your ability of using complicated password with password manager, solution safer than piece of paper but still I would consider it less secure than simply remembering your password or passphrase
But telling if they had any reasonable reason or just their system or management is flawed is impossible without being insider

Answer 10

XML / Json Hypothesis:

May be the password is sent to a webservice (hopefully through a safe channel) and they found that special characters resulted in invalid XML or Json. Instead of escaping entities they restricted all symbols.

One security issue is that if you are able to use the escape characters " in XML and \" in Json and the XML/Json is built by String concatenation without CDATA or escaping you may end with a quote in the field even if you checked the String for single and double quotes.

Of course the solution is to avoid string concatenation for building queries with outside parameters.

P.S: The password might also go to LDAP opening the possibility to LDAP injections

Answer 11

I avoid symbols in passwords because they may be difficult to type, especially on keyboard layouts or devices I'm not familiar with.

Also, more importantly, I don't often trust all software developers. Once I used passwords containing spaces. Some services later changed their authentication methods so that they stripped blank spaces from passwords. This made me unable to login.

My fear is that similar things may happen with other symbols too, especially if we consider non-ASCII symbols. By the way, the fact that your customer services are discouraging the use of special symbols is a strong indication of the fact that they shouldn't be trusted and they may do weird things (either now or in the future).

After all, if you think about numbers, using symbols is not much different from adding a few characters to your alphanumeric password:

• 100 symbols (all ASCII printable characters), length 8: 100⁸ combinations;
• 62 symbols (ASCII letters and digits), length 9: 62⁹ combinations, greater than 100⁸.

Using more symbols helps, but increasing length is much better (k^x grows faster than x^k).

Answer 12

But limited characters is pretty common for both password and username.

In secure computing you have something called attack surface, vulnerability, and exploit. Separate is reliability.

Yes more character is more random but you also have a larger attack surface.

You can create sufficiently random passwords with a limited character set. 36^8=2,821,109,907,456 is sufficiently random for most security needs. If not then just raise it to 10 or 12 characters. You can only hope they use random characters. The vulnerability there is passwords you can guess FistNameLastNaveYYMMDD where YYMMDD is date of birth.

Some Unicode character look the same. You can create a diacritic as a separate character. These characters are not the same: Greek Ο, Latin O, and Cyrillic О.

Depending on character set (code page) on your computer you may actually get different mappings. The idea is a safe set of deterministic characters across character sets.

You need to consider HTML encoding, compression over the network, salting, .... What about control characters?

You have to draw the line some where and the fact is you don't need a large character set to create sufficiently random passwords.

This not about programmers being lazy or deficient. It is about delivering solid reliable code. With a controlled character set can better test all possibilities. If something weird happens in transmission there is a smaller test set to figure out what breaks it.

Answer 13

This particular sequence is just holding down SHIFT and typing 1234567890. So I am assuming that they are disallowing this particular sequence because it is simple for a hacker and a lot of people do this. For example, I have seen people use QWERASDFZXCV for a password which is insecure because you are just holding shift and moving down the left side of the keyboard.

Answer 14

As @dr jimbob said you are using the non printable character £ in your password !@£$%^&*(). If you remove the non printable character £ from your password it will be accepted what ever be the service. This is because the password encryption was developed in c or in Java in core level to maintain the high level of security.

---

It is difficult make the non tech people to make them understand non printable characters. So the customer care executive asked you to use the simple alphanumeric not the special characters.

---

Try your new password with !@$%^&*() kindly change the password after testing as it was published online.

Simply speaking the accepted characters are between ASCII 32 to 126

Answer 15

Often user input is combined with other information to produce a larger block of data, in a structured text format such as a database query, web page or command line. This larger block of data is then later interpreted.

This leads to a class of attacks known as injection attacks. The user crafts their input such that when the larger block of data is assembled and re-intepreted the user input is interpreted not as field content but as part of the structure.

In general there are three main ways to defend agains such attacks.

1. Filtering. Limit the user to a subset of characters that you can demonstrate are safe. Ascii alphanumerics are nearly always safe. The nice thing about filtering is you can apply the same filter multiple times without breaking anything, that is hugely valuable if trying to retrofit an existing system.
2. Escaping. Replace the threat characters with some special sequence. The problem with escaping is that escaping needs to match up precisely 1 to 1.
3. Parameterising. Store the untrusted data in a seperate data structure and . This can be the best soloution, but it's not always pracitical.

Non-ascii characters can open up further cans of worms. Some characters are visually indistinguishable, some characters are invisible, some characters break up the normal ordering of character display. Some formats may have multiple representations of the same character or the byte sequence for one character may be a subsequence of the byte sequence for another character. This can create opertunities to "smuggle" characters past filtering or escaping processes.

If you have a legacy system that you know is full of holes, then restricting all untrusted input to ascii alphanumerics may be a sensible defense measure.

That said, putting such restrictions on a password field rings alarm bells, in general systems should do as little processing as possible on passwords in their plain-text form and should convert them to password hashes ASAP. So there is little chance of the attacks mentioned above on password fields.