One of the early leaders in security issues with banks is password strength. A lot of readers write in about banks that do not allow users to pick long passwords. The leader so far is a bank which only allows 7 character passwords and only allows letters a-z and numbers. (update: someone just wrote in with a bank that only allows 6 (!) characters)
We probably all know that longer passwords are better, and a common tip to achieve long passwords is a passphrase vs. a short password. A passphrase requires the use of punctuation marks and spaces, which some banks don't appear to allow either.
Now it may sound obvious that web applications will not allow single quotes (') or less than / larger than symbols, in order to avoid sql injection or cross site scripting. However, this is a bit a poor solution. And remember that passwords are not supposed to be stored in the clear anyway.
Regarding storing passwords in the clear: Some users report somewhat arbitrary password requirements like 20 characters. This may actually be an indication of passwords stored in the clear. A hashed password should always result in the same length hash, no matter how long the original password. On the other hand, if the original developer picked a "char(20)" database column to store the passwords (in the clear), then the password will be limited to this size.
Couple "mitigating" notes:
A couple lines pseudo code on how I like to see passwords stored:
I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019
Sep 24th 2007
1 decade ago