Password Security

I've been using generated passwords for a while now. I generate a salt, then some input information, and generate something in return. On a large banking website, I used such a password schema and recently noticed I was unable to login. Apparently they truncated the length of passwords from 32 characters to 31 and now 30 characters.

My question is, if they truncated the passwords, the only way it would be possible for them to truncate your password properly is if they did not run it through a one-way hash algorithm to securely store the password. Meaning, they're either storing the password in plain text, or using a weak schema to encode the password.

I'm considering dropping my account with them for obvious security reasons and general negligence to obvious security practices.

Am I incorrect in my assumptions, I am not a math nor a computer science major.

Walter

Walter White

Posted 2010-02-11T13:37:49.807

Reputation:

Answers

Were you able to login simply by taking a character off your password or did you have to change it?

If the answer is yes, I think it is most likely that they are storing as plain text or a weak encryption.

If the answer is no, they simply changed the policy - yours no longer matches and it didn't work any more...

However, especially if you have different passwords for different sites, I wouldn't bother changing just because of this - if they ever got hacked or similar, They wouldn't hold it against you.... However, it sounds like you are very cautious with security, so changing may be the only way to make you feel safe!

William Hilsum

Posted 2010-02-11T13:37:49.807

Reputation: 111 572

Yes, I got in simply by removing 2 characters. – None – 2010-02-11T14:06:23.600

Yes, this is just one instance of bad practices. If I noticed this, what else am I not privy to that they're doing? I wasn't even looking for this, I just noticed it when I couldn't log in. Chances are, if they do something like this, they're doing other bad things as well. – None – 2010-02-11T14:07:56.030

Also, if they are really practicing bad security, sometimes the only way they will get the message is when customers talk with their feet (so to say) and go elsewhere explaining why. – Dan McGrath – 2010-02-11T21:27:52.740

They might not have truncated your password in the database, it might be a pre submit check on the length of the string before it gets checked.

However, if you were able to get in by typing the first 31 (or 30) characters then it would have to have been stored in clear text.

ChrisF

Posted 2010-02-11T13:37:49.807

Reputation: 39 650

2If they truncate before they are hashing, then you'd see the same result. You can't really tell from the outside. This might also be a mismatch between the max-length attributes of the entry field for registering/changing password and logging in. – Joey – 2010-02-11T13:47:27.997

@Johannes - I would have thought that different length strings (even if the shorter was a substring of the longer) would have produced a different hash. You learn something new everyday. – ChrisF – 2010-02-11T14:00:34.967

I agree this is possibly a function of the hashing they are using, just like old LM hashes being generated after turning everything upper case, which meant that paSSwD and PassWd generated the same hash. From outside, as Johannes says, it is not possible to easily test whether this is dropped by the form or by the algorithm – AdamV – 2010-02-11T14:57:55.207

1Of course they produce a different hash, but if the string was submitted completely but truncated before hashing then you have a truncated password. This doesn't necessarily mean that they are stored in plain text. – Joey – 2010-02-11T22:19:15.553

If it is a large U.S. bank, I can almost guarantee that it is "securely" stored as there are laws and regs for banks... However that doesn't really mean much.

The easiest way to know if a site is store a password in clear text or not is their password recover/reset. If a site can send your password back to you, it is being store either in clear text or is not using a 1 way hash. If they make you reset your password or reset it with a temp password, it is more than likely using a hash.

As said above, it is VERY possible the text box truncated the string to 30 chars, or the hash algorithm truncated it BEFORE it was hashed. Sometimes developer do stupid things like make password fields only 30chars because who would ever have a password longer than that? =P

SIDE NOTE: If you feel your bank is unsecured or untrustworthy than switch to a bank that you feel comfortable with. I suggest this because you will probably not ever find out the answer to this.

Tony

Posted 2010-02-11T13:37:49.807

Reputation: 1 156