4

I found a webpage where users can be registered. However, it seems that the length of the password must be between 6 to 12 characters.

Is that a security risk?

Greenonline
  • 204
  • 2
  • 4
  • 14
Layman
  • 49
  • 1
  • 1
    I don't think that the linked questions are duplicates. The first one is asking if there are problems with *not* having a maximum password length, the second is asking what *reasons* there are to have a maximum password length. Neither is asking if it is a security risk to have a (low) maximum password length. The answer is obviously yes, so it's not an interesting question, but not really a duplicate either. – tim Mar 12 '16 at 17:36
  • Just out of interest, which website was it? – Greenonline Mar 13 '16 at 08:55

4 Answers4

3

Yes. Passwords are by nature very prone to be mishandled, and most decisions taken about its management are arbitrary or have more grounds in function than in security. In particular, any measure that trim the possible password space are particularly bad.

One example is ATM PINs. They have only 4 digits (in most cases, at least), so most of their strength relies on the fact that retries are limited. So, for a normal scenario, you have 3 tries to guess a value out of 10000. That means a probability of success of 1/3333. Humans are terrible at randomness, and as a result some PINS are more likely than others: 1111, 1234, and so on. As a result, some banks introduce rules: not repeated numbers (now you have only 5040 possible PINs), not math sequences (1234, 2468... how many of those can you build?), not keyboard patterns (L shaped PIN, a straight line, etc.). After you blacklist so many options, the attacker has now a much smaller search space to guess, and the probabilities are more favorable for them.

For a more open environment (higher capabilities for the attacker), there are lower limits that make sense, since a dictionary attack is almost trivial for short passwords. Some would say 8, some would say 10, but nobody would say 6 is reasonable. If the passwords are hashed (and salted), it comes a point where longer passwords have no increase in security, but it makes little sense to put a limit on them.

Sergio A. Figueroa
  • 281
  • 1
  • 10
3

In addition to looking at the entropy of a short password the way the other answers have, you should consider why the site has a restricted password length. There's no valid technical reason for a modern website (or almost any other authentication system) to have a maximum password length (at least, not one any human would ever exceed by accident). Passwords shouldn't ever be stored anywhere in any form except briefly in RAM; they should be run through a Key Derivation Function (the most popular ones are called scrypt, bcrypt, and PBKDF2, in descending order of difficulty to crack) and the resulting key should be stored in the database along with the salt and other KDF inputs (aside from the password, obviously) necessary to derive said key. KDFs don't care how long your password is; they'll produce a constant-length key in any case.

If a site is enforcing a maximum password length, then it quite likely isn't running passwords though a KDF (or even a simple hash function, which is much too easy to brute force but still supports arbitrary-length passwords). That means they're storing the password either in plain text, or with reversible encryption. The first option is REALLY BAD, and the second isn't much better. People's databases get leaked pretty frequently, and when that happens the attacker can use any plain-text passwords directly, or can probably decrypt the passwords (may need to pull a file off the web server's file system, but if you can get the database you can often get files too and the key needs to be stored somewhere). Either way, the attacker can now log in as any user on that site, and can also try to log in with the same credentials on other sites because many people make the terrible mistake of re-using passwords.

So yes, you should be very suspicious of any site that enforces a maximum password length.

CBHacking
  • 42,359
  • 3
  • 76
  • 107
  • `bcrypt`'s limit is 81 (which is a valid technical reason), btw you should be using [Argon2](https://github.com/P-H-C/phc-winner-argon2) nowadays... – wb9688 Mar 13 '16 at 19:50
  • Fair enough. 81 is arguably into the "[no] human would ever exceed by accident" range, though I put that in there more for things like "might crash your browser trying to POST more than 2GB of data". I'll check out Argon2, thanks! – CBHacking Mar 14 '16 at 07:56
2

Yes, it is a security risk.

The length of your password greatly affects your accounts security.

Assuming a website only allows lower-case letters [a-z] and limits your password to 1-4 characters.

It will only take 26^4 (456,976) different permutations. Hence, it will only take a maximum of 456,976 different trials to determine your password.

If you increase its length to 12 characters, there will be a maximum of 26^12 (9.54 x 10^16) different permutations.

To put it simply, the length of your password is definitely a factor in your account's security. The longer your password is the greater the security.

If you have no choice but to settle with a limited length for you password....

Here are some ways to make your account much more secure to bruteforcing

  • Add Capital Letters (PaSSwOrD)
  • Add Numbers (P455w0Rd)
  • Add Symbols (P@55w0R_d)
Blitzkrieg Exploit
  • 21
  • 2
  • 1
    Keep in mind that passwords are passwords. In other words, they aren't just random, evenly distributed strings. That means that vectors such as dictionary attacks are possible, reducing the search space within a sizeably. In particular, common replacement techniques (s->5, o->0) don't increase the difficulty of the password as much as one would expect, since attackers expect such changes. A great review on not so safe passwords can be found at http://arstechnica.com/security/2015/08/cracking-all-hacked-ashley-madison-passwords-could-take-a-lifetime/ – Sergio A. Figueroa Mar 12 '16 at 16:01
0

Please consider the whole security environment. For example, ATMs are usually monitored by camera. In that setting using a 4-digit pin may be acceptable, since fraud attempts will be caught on camera.

If a web site shuts out any user that makes two password errors, then perhaps a short password may be acceptable. However, if the web site allows unlimited password errors and uses very short passwords, then this is certainly a security hole. The reasons for this are listed in the other answers, i.e. a brute-force attack can succeed due to the small number of possible passwords.

Brent Kirkpatrick
  • 950
  • 4
  • 19
  • One comment: cameras are barely a deterrent, but not really a good tracing control. I'd say that the limited re-try attempts and the _authenticated terminal_ that is an ATM are most likely the reason why PINs are deemed reasonable in that scenario. Other than that, good point on the fact that different environments call for different approaches. – Sergio A. Figueroa Mar 14 '16 at 12:44