1

I recently went to change my password at AliPay, and found out that there are a few restrictions on the password:

  1. It can only be digits
  2. It must be six digits
  3. It can not consist of consecutive digits (123456, 234567, etc.)
  4. It can not consist of a repeated single digit (111111, 222222, etc.)

This all seems idiotic to me. First off, six characters is not a lot. Six digits contain even less entropy. And to top it off, they remove some more possible combinations.

To be fair, I guess things like 123456 or 111111 would be at the top of any hackers "dictionary" if they were to brute force it. However, there are still only less than a billion possible combinations to try, which in this day and age is not a lot (right?).

Can there ever be any valid reason whatsoever to restrict a password like this? I use a password manager and usually default to 20 characters of random digits, letters and symbols. For a payment service in 2016 I'd expect long passwords containing random symbols to be allowed (or even demanded by the system).

So am I missing something here, or are the people who come up with these limitations just not that security minded?

Magnus
  • 223
  • 1
  • 5
  • 1
    Is this really the password, or some kind of PIN code? – S.L. Barth Jul 29 '16 at 11:39
  • after google, I saw this `Your Alipay account consists of two passwords 1) Alipay.com login password 2) Alipay "Payment" Password` . I assume those password you mentioned are 2. – mootmoot Jul 29 '16 at 12:13
  • @mootmoot Hmm, yeah now even I am not sure anymore. It seems I can't log in to AliPay using the 6-digit "password" (as they call it), but I have to use the password for AliExpress (a real one with letters and symbols). So I'm not entirely sure when the 6-digit "password" is used... perhaps only when paying while logged in to an AliExpress account? – Magnus Jul 29 '16 at 16:09
  • For curiosity, I try to register alipay that redirect me to aliexpress, which the password field show 6-20 alphanumeric. I assume the number password is second level security check when you make payment. – mootmoot Jul 29 '16 at 16:46

0 Answers0