Security Tip: Actually Handle Passwords Your System Claims to Handle
I’ve been using a password safe called KeePass for several years now. It’s fantastic for keeping track of the myriad of passwords for the different systems to which I have access, as well as allowing me to use different passwords for the ever-increasing multitude of web sites requiring a login of some sort.
On top of that, it has a handy feature for generating passwords. You tell it how long you want the password to be, check off some rules determining what characters it can use (letters, numbers, braces, special characters, etc.), and then it will collect some entropy and generate a random password for you. So now I have crazy long random passwords for everything. Nice!
Except for when I don’t. You see, quite often a site will place restrictions on the passwords. They claim to require passwords of a certain complexity, but disallow certain characters that might cause problems to the implementation of the system; or often they will cap the length of the password to some arbitrary maximum. The problem is that people generally choose crappy passwords, and so the code that processes passwords rarely gets appropriately exercised - until I come along with KeePass and break their systems.
Today, I was required to change my password after creating an account for an online learning system. The system required a password minimum length of eight characters, but specified no maximum or other restrictions. So I set KeePass to generate a random 22-character password, containing all manner of crazy characters. I’m sure you can guess what happened next.
It seemed the Learning Center was trying to teach me how to use crappy passwords. So I removed all of the special characters and tried again, to no avail. Finally, I shrunk the length of the password a bit, and my new password was accepted. It is quite amusing to me how big a deal so many security executive-drones make about people using good passwords, and then fail to ever test that their system accepts passwords better than they expect. I guess mediocrity pulls us all to the same level.
Finally, a shout-out to Speakeasy. Their web-based customer service system claims to support passwords up to 128 characters in length. You can believe me when I tell you that it actually does.