Passwords and You: Partners in Freedom

2014-03-25 1:06 PM

Today I decided to delete my account at PayPal. I'd been meaning to for a while, but they sent me a marketing email which reminded me to finally carry it out.

First this meant resetting my password because I forgot what it was, since the last time I used it was...who knows.

paypal<em>password</em>3.png

They are Keeping me safer, so this should be easy.

Like any nerdy, security-minded person, I use a password manager so that I don't know the passwords to any sites I sign up for. KeePass is my facilitator of choice here - it's awesome and helps a ton. If you're not using it, you should.

Anyhow, I had KeePass create me a new, strong, secure password and I pasted it into the box.

paypal<em>password</em>0.png

Whoops. They won't let me copy/paste it.

wat.

Okay, sure, this is par for the course for bad security on the internet. Fine, I'll just use correct horse battery staple.

paypal<em>password</em>1.png

Oh. Yeah, we wouldn't want my password being too long now would we? Okay, shorter sentence:

paypal<em>password</em>2.5.png

Surely this one will work

paypal<em>password</em>2.png

rage

Review

Let's count the security missteps here:

  1. Disallow password pasting. Don't do this. Ever. All you're doing is foiling people who use good password management systems.
  2. Maximum password length. Why would this even be a problem, ever? Your passwords are hashed well, right? Since there's no way you have a PASSWORD NVARCHAR(20) field in your database, it makes no sense to have a maximum password length. The only thing you're doing here is restricting entropy and reinforcing bad password practices.
  3. Disallow spaces. In what universe does this make sense? Presumably this is in place to stop people from just typing a sentence in, but (a) the small maximum password length precludes that and (b) that actually makes for a pretty good password.

If you make websites, please do not do any of these things. It's like a master course in security anti-patterns.