Stupid Security: Verified by Visa
There’s a developer inside of me who thinks that there has to be a reason for this. Maybe there’s a cryptographic reason, or maybe it’s an issue with converting a specific size integer into a hash, or there’s a good reason that the database type is limited. There’s a developer inside of me who thinks “I’m a developer, so I wouldn’t make such a stupid and arbitrary decision unless there was a damn good reason, so there has to be a reason.”
Who decided "6 to 8" is a good number?
But there’s this other part of me- another developer- who’s seen1 stupid and arbitrary decisions one too many times to really believe that there has to be a reason for a developer to make a stupid and arbitrary decision.
The last 3 times I’ve made a purchase online, I’ve been reminded of one of the most stupid and arbitrary security decisions I’ve seen in a while, because I’m presented with this screen.
Actually, I’m presented with a different screen- one asking me to use my password. The problem is that I have to go to this screen every time, because I forget the password that I used the last time. “Well, that’s stupid,” you say. “Why not do what it says and record your password?”
Because I don’t record passwords. I remember them. And I make strong passwords, 8 to 12 characters long filled with entropy (or, at least, pseudo-entropy, but the result is the same). And that is my problem with whatever dumbass programmed this system.2
Why on Earth would you program a system that limits the upper end of a passwords length? And it does limit it. Eight is not a suggestion, it fails with nine characters. I mean, sure, if you can’t store 32 characters in your database record then that’s fine, limit it at 31- but eight? Seriously? Eight?
Now, basically every highly secure password that I would use or create is unusable. You have just reduced my preferred level of security to something that is less secure than I’m comfortable with- and you’ve done it in your system that is ostensibly trying to increase security. Is this not just really stupid?
What. The. Hell?
I’m mad at this, I think it’s really stupid and arbitrary and that someone should be fired for a decision that actually rejects decent security at the application level. But, I’m also not perfect. I know I have a lot to learn, and that there are many things that I don’t know. Just because I think something doesn’t make it right, and there might be a very good reason for this.
Is there? Can anyone tell me why “6 to 8″ characters would be a good idea while “greater than 6 characters” would get ignored?
Anyone?
No Comment
I've turned off comments on this blog. You can read all about that decision on Google+. I'm available at Google+ and Twitter for continued communication.
I’m John Metta, writer, hydrologist, programmer, Irish flute and banjo player, cyclist, brewer, and a digger of all things tech, and all around friendly guy. Nestled snugly in the Columbia River Gorge in a town called Hood River, I survey the world as my own personal playground. Circle me on Google+
This is by no means an answer to your question – it is more a lead than anything else.
First, I suspect this is just a dumb decision. Example? On my old stock trading site (back when I actually had stock in something), they allowed only letters and numbers, and nothing else. At all. Comma? Nope. Plus symbol? Fuggaddaboudit. On a stock trade site with access to things like, oh, I don't know, money? Completely ridiculous. I understand the danger of a field that accepts things like command characters, but there are very basic routines to eliminate that risk. Very, basic.
My only other guess is tne problem with encryption icrossing international borders – for example, France would not allow anything stronger than 128-bit encryption on anything coming in or out of the country. Why? So they could snoop the contents easier (anti-terrorism etc.). Does that justify 8 characters? Nope. But maybe a clue?
[...] morning I wrote a bit of a rant about the Verified by Visa password limitations and an issue came up that has come up for me [...]