0

A bank I (previously) used in Australia forced users to comply with a 6-character limit on every password. Specifically, the rules were:

  • 6 characters exactly, including at least 1 number and letter
  • No more than 2 repeating characters
  • No blanks, spaces or special characters

Now, I've been developing sites for almost a decade now, and I've been under the impression that imposing any sort of limit on passwords is frowned upon (let alone a 6 character one).

On top of this, the 6-character password is stored case-insensitive. This means that there are only 36^6 possible password combinations (2,176,782,336). Lightwork for a computer these days.

What possible reason could they have to do this? I would think a bank would have the highest level of security and want their users to have as complex passwords as possible.

GROVER.
  • 101
  • 2
  • 3
    Does this answer your question? [Bank forces me to use six character alphanumeric password](https://security.stackexchange.com/questions/22777/bank-forces-me-to-use-six-character-alphanumeric-password), [Is a 6 digit numerical password secure enough for online banking?](https://security.stackexchange.com/questions/124682/is-a-6-digit-numerical-password-secure-enough-for-online-banking), [What technical reasons are there to have low maximum password lengths?](https://security.stackexchange.com/questions/33470/what-technical-reasons-are-there-to-have-low-maximum-password-lengths) – Steffen Ullrich Nov 30 '22 at 06:25
  • 1
    Also there are some information missing to evaluate how bad it is: how many attempts can you make before the account gets locked, is there a rate limiting in attempts, what can be done with a known password - i.e. only few some information or basically all transactions without further authentication. – Steffen Ullrich Nov 30 '22 at 06:28
  • Rate limiting or just slow password checking can help. For example if you try entering a six digit password on an iPhone, after five or six attempts you will be significantly slowed down so it is practically impossible to try 100 passwords (this is something a hacker would try to get around), and it takes 80ms to verify a password (with no way around it, so these six characters and digits would be quite safe). – gnasher729 Nov 30 '22 at 15:10
  • All that said, I hate it when someone or something doesn't accept passwords that my browser or my phone generate. For example "at least one digit, special character, uppercase character" is pointless when my iPhone generates a password with _lots_ of digits and lowercase characters. – gnasher729 Nov 30 '22 at 15:14

1 Answers1

1

What possible reason could they have to do this?

The key point is that they can justify it to audits. Banks usually base their security strategy on compliance, and the NIST guideline may suffice for their purposes (although, in this specific case, whether it's justifiable according to the guidelines is subject to interpretation, but anyway)

What reasons are there behind it, we don't know. Maybe they're using legacy systems. Maybe they're using password validation engines that underperform significantly with longer passwords. Or maybe the people involved in security related decisions lack proper security training and awareness.

But short passwords, by itself, cannot characterize the system's security as a whole; it depends on what other measures are in place in order to protect account violations. Steffen Ullrich has already pointed out in his comments several things to consider around this.

Spyros
  • 1,451
  • 1
  • 14