1

The site does not allow the following characters: = ?<> ( ) ‘ " / \ &

It also limits maximum password length to 20 characters.

This makes me suspicious that they might be being stored in plain text and inputs aren't being sanitized properly. Is there any other reason for this type of restriction?

I don't think this is a duplicate of Why Disallow Special Characters In a Password? because this is a rather new website that doesn't (to my knowledge) need to integrate with any old financial systems.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user505255
  • 113
  • 2
  • 2
    Although the accepted answer deals with legacy systems, the other answers are applicable and they, too, answer your question. – schroeder Sep 25 '15 at 03:33
  • Those mostly seem to be about prohibiting non-ASCII characters, though, which isn't the case here. – user505255 Sep 25 '15 at 22:38
  • 1
    Because they don't care enough about security to do it right. This screams to software developers "I store passwords in plaintext." – Joshua Feb 07 '20 at 02:59

1 Answers1

0

Assuming they're storing their passwords hashed, a reasonable justification for restricting the sort of content that the password field is allowed to contain is simple input sanitization.

There are likely a set of rules that get applied everywhere unless the developer makes a special exception; that way the programmer doesn't have to remember to "turn the safety checks on" for a given component; everything is sanitized except where you have a justification for doing otherwise.

The characters that are getting filtered out are frequently associated with injection attacks of various stripes, and there's no reason why you need to allow those characters in passwords, and with no justification for disabling the security checks, the default policy applies.

Why 20 characters? It was probably the default in some component library.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • This seems plausible, and in the absence of any other explanation I'll accept it. It still seems reasonable to treat passwords as a special case of input to me, though. – user505255 Sep 25 '15 at 22:41
  • 4
    "there's no reason why you need to allow those characters in passwords" Sure there is. Increasing the keyspace and allowing the end user to choose whatever password is easiest for them to remember and hardest to guess. Which additionally makes it less likely they'll need to write down the password to remember it. – Parthian Shot Sep 28 '15 at 16:03
  • @ParthianShot The difference isn't significant enough to make any difference in terms of practical attacks. – tylerl Sep 28 '15 at 22:57
  • 2
    @tylerl Do you have data on that? Because I know from personal experience that limiting the characters I can use in passphrases leads me to use less secure passphrases. – Parthian Shot Sep 29 '15 at 19:13