home about archive search rss links mastodon
raelog://archive-2007-website-security-and-privacy

[archive: 2007] Website security and privacy

2007-11-13

Original title: Stupid website security policies and ways to protect your passwords/online accounts

Published November 13, 2007

Present-day note (2025):
This post was originally written in 2007 and is preserved largely as-is, as a snapshot of how I was thinking at the time. Some details are dated; others still feel relevant. If I were writing it today, I’d frame parts of it differently, but I’m leaving the original voice intact.

Ok, so this has been bugging the hell out of me lately: how some websites and services have really unsatisfactory password security policies.

For example, Plaxo, which only allows you to create a password that is between 6 and 10 characters long. Um, hello??!! That is bloody ridiculous! I’m sorry Plaxo, but I just don’t feel safe storing my whole freggin’ address book on your site with a password policy like that. Why bother?

Some other sites with really bad password policies are…

  1. American Express — minimum 6, maximum 8 characters (case insensitive, no special characters)
  2. Microsoft’s Live.com — minimum 6, maximum 16 characters
  3. Mint.com — minimum 6, maximum 16 characters
  4. LinkedIn — minimum 6, maximum 16 characters
  5. PayPal — minimum 8, maximum 20 characters
  6. Yahoo — minimum 6, maximum 32 characters
  7. Apple / .Mac — minimum 6, maximum 32 characters
  8. Bank of America — minimum 6, maximum 32 characters

32 characters might sound okay, maybe if the site wasn’t dealing with sensitive information, i.e. dotMac and Bank of America. I am really disappointed with dotMac’s password policy, especially since I back up important files using iDisk, including my Mac’s Keychain, Address Book, and various documents. It just seems almost irresponsible to have a password any less than 32 characters for a service like that. But Plaxo, by far, has the worst password policy.

Ya ya, the average person isn’t going to have a humungous password, but that’s not the point. The point is that there are some sites that unreasonably limit your password options. You should be able to choose however long of a password that you want. Why should people be forced to make their passwords a ridiculously short length? Just why?

Why don’t they just let the user decide.

On the other hand, there are a few sensible websites that actually give you a choice. Here are some sites that allow really long/strong passwords…

  1. Google / Gmail — minimum 8, maximum 100+ characters
  2. Facebook — minimum 6, maximum 100+ characters
  3. Meebo — minimum 6, maximum 100+ characters
  4. Geni.com — maximum 100+ characters
  5. claimID.com — maximum 100+ characters
  6. tumblr.com — maximum 100+ characters

So, how the hell would you go about remembering a really long password? Well, there are a number of solutions out there that are quite simple, and very effective at both generating and storing such passwords.

The first, which is only available for Macs, is called 1Password, and it is a password manager. Provided that you have $30 to shell out for this rather impressive piece of software, it is quite possibly the best solution available, and the most useful in everyday situations. 1Password integrates nicely with your web browser, iPhone, Palm device, and dotMac. Also, for a limited time, it’s free. Too bad they don’t make a PC version.

The second is a password manager called KeePass. Unlike 1Password, KeePass is available on multiple platforms, including Windows, Mac, Linux, BlackBerry, Palm, Pocket PC, and Symbian. Also unlike 1Password is the price: $0. It’s open source. KeePass is an excellent option if you don’t have a Mac or don’t want to spend anything on software.

The third: just use the built-in password manager for your web browser, i.e. Firefox. If you use Firefox and store passwords in it, you might want to use a master password because Firefox doesn’t encrypt your stored passwords unless you have set a master password.

A master password is just a single password that you type in to access all of your stored passwords. The convenience is that you only need one password to access everything, but that convenience can also become a security risk if you don’t use a strong master password. There are solutions for that as well, such as using a USB security key (like the SecuriKey), a USB dongle, a fingerprint reader, or a security token. I’ll get to security tokens and multi-factor authentication later on.

The fourth solution is PassPack, an online password manager. PassPack requires more than just a password to log in. First you enter your username and password, then you verify that you are a human using a CAPTCHA-like system, and finally you enter your Packing Key to view and manage your password entries. PassPack is more or less secure, once again depending on the strength of your password(s).

The fifth solution is better suited for logging into various online accounts: OpenID. OpenID is a “decentralized single sign-on system”, meaning that instead of registering with a website using a traditional username and password, you register using your OpenID credentials. These are provided by services such as myOpenID, ClaimID, myID.net, and VeriSign’s PIP. You then use a single master-style password to sign into supported sites without repeated registrations.

OpenID is not perfect. Because one password is used for multiple sites, it is vulnerable to risks such as phishing. Attackers could redirect users to fake OpenID providers to capture credentials. Some providers mitigate this with multi-factor authentication, such as security tokens. However, few OpenID providers offer this level of protection, with VeriSign’s PIP being a notable exception.

VeriSign PIP allows the use of a Unified Authentication Token, including secure storage tokens, USB tokens, or one-time password (OTP) tokens. Notably, you can use the PayPal Security Key with VeriSign’s PIP OpenID service. This OTP device generates time- or event-based codes that must be entered during login.

The use of second-factor authentication tools and password managers not only makes long passwords practical, but can also eliminate the need to ever manually remember or type them.

No matter what solution you use, the bottom line is this: there should never be a reason to use a really crappy password for a really important website. There are enough technologies available to manage nearly any security situation. The hard part is getting enough people, companies, services, and websites to actually adopt and use them.