0

Chase banking has two odd restrictions on their accepted passwords.

  1. Passwords have a maximum length of 32 characters
  2. Passwords can not contain special characters or punctuation

I am a software developer that has built auth/auth systems in the past. The restriction on special characters seems like a horrible attempt at preventing SQL Injection. The max password size sounds like a DB restriction (Maybe they are using a language that requires you create a fixed character array?)

This smells alot like they are storing passwords in plain text. Is there another reason a cloud service would have these restrictions.

Tarynn
  • 103
  • 2
  • 1
    Related: https://security.stackexchange.com/questions/256395/why-does-docusign-require-that-your-password-must-not-contain-the-characters – mti2935 Dec 17 '21 at 19:43
  • 1
    Related: [Is there any security risk in not setting a maximum password length?](https://security.stackexchange.com/questions/238031/is-there-any-security-risk-in-not-setting-a-maximum-password-length). – Steffen Ullrich Dec 17 '21 at 20:22
  • 1
    sounds like they want it more idiot-proof to reduce calls about lockouts, and for the passwords to be easy to enter on mobile. – dandavis Dec 17 '21 at 21:14
  • Assuming you mean the US Chase-really-JPMC, I opened a new (card) account with them a few months ago and it accepted special chars in my password just fine; I have a vague recollection it even recommended or required them, although I didn't take notes. I didn't try over 32. – dave_thompson_085 Dec 18 '21 at 02:06

1 Answers1

1

The question title and body ask two different questions, so I will attempt to answer both.

Should I be concerned?

No, not really. If the allowed characters are [a-zA-Z0-9], that means you have 62^33-1/(62-1) different possible passwords. This gives you a strength of 191 bits, which is more than enough to be uncrackable on modern hardware.

If your password is generated randomly and only used for this service, then even if the password is stored in cleartext, you should be relatively safe. To my knowledge, the overwhelming majority of online banking requires a second factor to authorize transactions, so without that second factor, criminals would not be able to steal funds.

Does this mean passwords are stored in plain text? Or is there another possible reason for this restriction?

Legacy code and cargo cult programming.

It is possible that earlier systems did indeed store passwords in plain text in a VARCHAR(32) field, and several components verified that the password is not longer than 32 characters. Even after the system was changed to use hashes and salts, the restriction is still in place, because most users don't pick good passwords. I am convinced at least some people have November2020 as their password, and I am convinced at least one person reading this very answer has that as their password for something.

Most people just don't care about secure passwords, or think that this is a secure password, when it's obviously not. And since most users don't care, the bank never saw a reason to change.

The second reason is a form of "We've always done it this way", called "Cargo Cult Programming". Simply put, someone did something for a valid reason, and other people copied this behavior without understanding the underlying reason for it. After a while, this was just accepted as "how we do things", whithout understanding the underlying reasons, which may no longer even apply.

In summary, generate a random 32 character password, store it in a password manager and you will be safe.

  • 2
    sigma(62^x for x=0 to 32) is (62^33-1) **/ (62-1)**, probably -1 for the x^0 term because I suspect empty input doesn't work, about 191 bits. – dave_thompson_085 Dec 18 '21 at 01:59
  • 1
    @dave_thompson_085 Yeah, you're right. Sorry, I was tripping hard on mushrooms when I wrote this answer and contrary to popular belief, psilocybin and cryptography don't mix well. I'll edit it when I'm on a keyboard again if I don't forget. –  Dec 18 '21 at 02:06
  • @MechMK1 thanks. I know password managers are the gold standard but I don't trust them. By definition they keep your actual passwords stored (encrypted). I use to have the keepass app on my phone but then I needed to access my account when I didn't have my phone on me so that didn't work. – Tarynn Dec 19 '21 at 20:46
  • I did the password reset every time I needed access for a while. That was really time consuming for something I signed into frequently. I eventually developed several 16-20 character passwords that don't use any dictionary words and are easy for me to remember and utilize information only I know. – Tarynn Dec 19 '21 at 20:52
  • @Tarynn I would *highly* recommend giving offline password managers a go and use some method of syncing your passwords. They're definitely way safer than any password you can think of. –  Dec 19 '21 at 23:15