Saturday, December 3, 2016

A bad way to make passwords secure

On November 23, 2016 the Computerworld website had a SHARK TANK article with a software horror story titled Now THAT’S password security. It described what a government employee encountered when he tried to login to another agency, as he had to do quarterly. It seemed like he could never remember his password, since he was told it was invalid each time he tried to use it again. 

“Eventually, fish can no longer restrain his engineering urge, and he decides to do some testing to identify the actual problem.

First he attempts a login, and as usual it fails. He goes to the password-reset page, but instead of typing his new password into the input box, he types it into a text file, then copies and pastes it. That way, he knows he'll be inputting exactly the same password every time.

Then he immediately logs out and tries to log back in by pasting in the password. And as before, the new password fails.

Fish tries several more times, and it keeps failing -- even though it's the same pasted password every time.

Clearly, it's help desk time. Fish makes the call, and after several rounds of debugging and testing, there's finally a clear answer: The passwords that fish is creating when his account is reset are all too long.

‘But instead of failing, the reset system simply chopped off the extra characters and saved the result’ fish says. So my password of ABC=12345 became ABC=12. But on the password-setting page, there was no mention of a maximum length, and no error message for a too-long password.

And a year later, now that they're aware of the problem, there's still no error message, and no warning of a maximum password length. I guess it's more efficient to have users create a new password every time they log in than it is to tell them what a valid password is.”

The image of an Xacto paper cutter was derived from one at Wikimedia Commons.

No comments: