BPI, BDO, are you storing my password? was originally published in Tech+Life+Music.
It’s really careless programmer-slash-security things like this that piss me off. Have a look at the Bank of the Philippine Islands’ (BPI) personal internet banking login screen:
Related Articles
Although it’s not as restrictive as the one on BPI’s website, here’s the equivalent login service provided on Banco de Oro’s (BDO) website:
Similarly, BDO limits characters to only 20 characters. That doesn’t sound as bad as BPI’s but let me make my point.I can think of absolutely no use case where, as a software architect, programmer, what-have-you, I would want to limit the number or kind of characters a user can assign for a password. It’s an absolute no-no. It’s a Bad Thing™. It’s what your mother had been warning you not to do when you were a kid, right after those sermons against playing with fire and sharp objects.
But, limiting characters saves database space!
Point well taken, and honestly, that would make a lot of sense provided that we weren’t talking about passwords.
If this was any other kind of field (like a username, or an address input), limiting the characters a user can input may not just be helpful: it may well be essential. By controlling that amount of data anyone can save into any data field, we can control how fast the size of the underlying database bloats (because databases take up expensive hard drive space too, you know).
Passwords are an exception though. To start off, websites (or anyone for that matter) should not be storing your password in plain text.
Why?If someone else knew your password, they could use it to log in as you, and do things on your behalf, such as transfer money to their own bank account, or post demeaning Facebook status messages.
Same thing here. If a website service stores your password in plain text, someone can come in and read that from a database, and use it to log into websites with malicious intent. Especially if you use the same password across different sites.
Who can do that? I don’t know. Maybe a playful programmer who has access to the database. Maybe a hacker who gains entry on your bank’s database. Maybe a disgruntled employee who wants to stick it to the man. Take your pick. It’s happened before.
It’s simple. No one but you should know your password. Not even the websites you use your passwords on. Ever wonder why (most) websites allow you to reset your password, but they don’t (can’t) give you your password when you forget it? Well, this is why.
But then, you’d ask: if websites don’t know my password, how do they know that I’m using the right password for my account then? Again, simple. They use what’s called a hash.
The thing is, websites can “hash” any piece of text, and it will generate an (ideally) constant string of text that looks randomized, and is hard to remember. Here are a few examples using SHA256 hashes:
// "password" 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 // "passworD" 9e78de733c6a51c0cc954c1d956d8929ad1310513e1042d81edc375219c6a2ef // "1234" 03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4 // "a" ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb |
This is what websites (should) use in checking if your password is correct. It stores the hash of your password in its database, so whenever you try to login (and provide a password), it hashes that, and compares the resulting hash to the hash it has in its database.
The thing with hashes is that no matter how many times you hash the same string, you always get the same result. Hashing text is easy, but doing it the other way around is near impossible (that is, restoring a hash to its original plain text). It’s a form of one-way encryption, in a sense.Why does that matter then? Well, one of the unique things about a hash is that no matter how long the original piece of text is, it always always always results in a hash of constant length (for example, the SHA256 hashes above are always 64 characters long).
So if you’re storing that in a database, you know that you’re always storing text that is 64 characters long no matter what the password is. What’s the sense of limiting my password to 12 characters then?
More importantly, what does that tell me?
Either BPI and BDO are unnecessarily making their users use passwords that are significantly less secure than possible, or they’re storing your passwords in plain text. I just hope it’s not the latter.
But 12 characters in a password is more than enough.
Again, point well taken. If you use numbers, lowercase and uppercase letters, and symbols in your password, a 12-character password will take a hacker years to break (only hours or even minutes if you only use letters!).
But then again, passwords like that look like *HU9J67+0G3% and are generally hard to remember. This is exactly the reason why there has been debate about the usability of the passwords we use everyday.
Passwords, to make a long discussion short, are hard to remember. Passphrases (like pleasedontmilkmycow, on the other hand, are more efficient on both security and human usability aspects. But to make use of them, I need more than just 12 characters. It’s a somewhat touchy topic, but hey, you’ve got to at least agree on the usability part.
Please don’t store my password.
Let me just take this opportunity to say it again: there’s absolutely no justification as to why you’d want to limit your users’ password length. As far as I’m concerned, if you limit the length of my password, I know you’re storing my password. And that, my friend, is a big no-no.
This post first appeared on Tech+Life+Music By Richard Neil Ilagan, please read the originial post: here
