Announcement

Collapse
No announcement yet.

Lousy password policies

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Lousy password policies

    I've often wondered why certain web sites, particularly ones I really want to use secure passwords on, have such shitty password policies, particularly ones that limit your password to 8 characters or less or preclude the use of non-alphanumeric characters.

    Well, it appears my question has been answered!

    http://www.pcmag.com/article2/0,2817,2358985,00.asp

    Thank you for your email regarding your online password.

    I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.

    The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of "most common keys pressed".

    Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

    Moreover, American Express is committed to protecting the privacy and security of all of our Cardmembers, both on-line and off-line. We believe that our current security measures, which include our sophisticated monitoring systems to detect unusual or fraudulent card activity, provide strong, ongoing protections for our Cardmembers.

    Rest assured, I have forwarded your comments to our webmaster for review. During this review, we may contact you if additional information is required.

    We value your membership and wish goodness and health to you and your family.
    Sincerely,
    Gaurav Sharma
    Email Servicing Team
    American Express Interactive Services
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]

  • #2
    Re: Lousy password policies

    [sarcasm]Ahhh. So, when computing permutations (order matters) P(26+26+10,8) is easier to guess than, say, P(95,16). Also, it is good to know that letters and alphabets in a string creates an algorithm. I always thought instructions or directions in a process or routine were used to create an algorithm.[/sarcasm]

    It sounds like they are claiming that keyloggers include software that identify passwords based on the presence of non-alpha-numeric characters, but if you are choosing to login from an untrusted system to access your financial information, doesn't that mean that keyloggers are not your only worry, and patterns searches with keyloggers can be quickly altered?

    I wonder if this is a genuine response from AmEx. It is filled with too much in the way of 'fail' to be an official response... I hope.
    Last edited by TheCotMan; February 11, 2010, 17:30.

    Comment


    • #3
      Re: Lousy password policies

      That can't be a serious response from American Express.
      Network Jesus died for your SYN

      Comment


      • #4
        Re: Lousy password policies

        I call bullshit. Even if that is an official response from AmEx, his response is still epic fail.
        Last edited by MissterY; February 17, 2010, 13:46. Reason: tpyo

        Comment


        • #5
          Re: Lousy password policies

          Originally posted by MissterY View Post
          I call bullshit. Even if that is an official response from AmEx, his response is still epic fail.
          I received similar. My response: cancel.

          Regards,

          valkyrie
          ___________________________________________
          sapere aude

          Comment


          • #6
            Re: Lousy password policies

            In Windows Server to require the use of special characters in a password requires checking a box and that's it. I have to assume other OS's are as simple.

            Special characters are more likely to cause issues with the user. In the states you have $ while in the UK you have the £. From a different keyboard you may have issues logging on.

            Also if the password requires special characters that may increase the possibility of the user writing the password down somewhere. Imagine if I required a password made of 16 special characters only, and I used a leetspeak filter to eliminate 1337 741k. There needs to be a balance.

            If Amex wished to get with the program they can use an on-screen keyboard which can thwart most key capture programs.

            Comment


            • #7
              Re: Lousy password policies

              Originally posted by astcell View Post
              In Windows Server to require the use of special characters in a password requires checking a box and that's it. I have to assume other OS's are as simple.

              Special characters are more likely to cause issues with the user. In the states you have $ while in the UK you have the £. From a different keyboard you may have issues logging on.

              Also if the password requires special characters that may increase the possibility of the user writing the password down somewhere. Imagine if I required a password made of 16 special characters only, and I used a leetspeak filter to eliminate 1337 741k. There needs to be a balance.

              If Amex wished to get with the program they can use an on-screen keyboard which can thwart most key capture programs.
              Excuse me? I suspect wrong answer. I can snag your creds just as easily with an on-screen keyboard. It is all going into the pipe. I can MITM you. It doesn't matter. Am I missing something here?

              Regards

              valkyrie
              _____________________________________
              sapere aude

              Comment


              • #8
                Re: Lousy password policies

                No, you are correct. The advantage of a keyboard sniffer like a KeyCatcher is that it is cheap, easy to use, and easy to install. Anyone can be a spy. Sniffing off of hubs and via software requires a tad more prowess.

                Since I am here via https you may get my password if you have physical machine access or sit at the other end on the defcon.org server itself. Between us the odds rise quite a bit.

                DFAS recently required all new logons and passwords, and you can only set it up with your CAC card. You get a keyscrambled onscreen keyboard. You can always run screen captures on me or look over my shoulder too. Even 128 bit is not impervious, it's just time consuming.

                Comment


                • #9
                  Re: Lousy password policies

                  Passwords are an interesting thing to have to sit down and re-think how you want to set them up.

                  I'm not very surprised by this response, but I did expect better from amex. This sort of reply is common with business and IT cooperating together to come up with a "tell them this is computers/blackmagic works" statement that the helpdesk gets to paste as a reply. We're probably seeing weak passwords here because some VP at Amex decided a pool of 62^8 is large enough, and all those special characters are just going to end in a lot of support requests.

                  If I'm targeting Acme for passwords, I'd take a look at at this and figure out they have a rather shallow pool to get into for cracking the passwords. I believe there's already websites (passcracking?) that offer rainbow tables for /[a-z0-9]{1,8}/i.

                  We should start a thread on all the nuisances that we find in webistes. One of mine is the login form asking your browser for the http-redirect header because it's now "even more secure, and can't be bypassed." Or HTTP get/post-ing of credentials without proper salting. Things like that.

                  Comment

                  Working...
                  X