Damn, PayPal updated their password reset UI in the last week, but you can still only enter 20 characters for a site that holds cold hard (electronic) cash. Really guys? If you're really hashing them, why does the length matter? The DB column width doesn't need to change. Want us to submit a patch?
P.S. I wonder if they were expecting a lot of resets, hence the redesign rollout?
So does Discover. When I wouldn't take "just because" for an answer, IIRC the explanation was that it resulted in fewer password reset requests, so I believe your take is correct.
I still get mail from Bank Of America -- where I no longer have an account because their fraud department decided to stop paying my mortgage -- about someone trying to log into my account. About once a week. I could spam filter it but it reminds me not to go back.
In mid february I created a gmail account and only used it to subscribe to Paypal (didn't touch Ebay). The Paypal account is associated to a NY home address.
On March 15th I received at that email address a "New York Lotto" phishing email. That is the only spam I got so far on that email account.
So I would assume that they have at least some Paypal subscribers data, including email and home city (and maybe address).
Ebay claims that 20 characters is the max, but it's a lie - mine is 29.
Likewise, Newegg claims that you have to have special characters, but my password has none.
I'd suggest trying the password you want and seeing if it gets rejected. In a lot of cases, some programmer may have fixed the crazy password scheme and forgotten to update the page text.
Are you sure that your password is actually 29 characters? Try changing some of the last nine characters and see if it will still let you log in; they may just be dropping the last nine silently.
Nope, give them a tiny amount of credit: they're not arbitrarily restricting password length. It's just the instructions that are out-of-date (or just plain incorrect).
I discovered yesterday that Microsoft (yes, Microsoft!) limits their passwords to between 8 and 16 characters. I'm not sure ANYONE really knows how to implement security even half-properly; I really wish OpenID had taken off.
this always gets me, and every time i ask i can't seem to find a direct answer why so many sites have this 20 character limit. bank of america does as well, with the additional restriction that you can't use the following characters: $ < > & ^ ! []. bluecross/blueshield allows up to 30 characters, but only numbers and letters.
if passwords are being hashed, which i guess i would have to believe they are, at least in the BOA case, what's the point of restricting character counts (especially to 20), or choosing random characters to exclude?
Choosing random characters to exclude (or alternately, only permitting a subset of characters) can make the task of validating that you aren't subject to an injection attack easier.
Note that this validation may take the form of validating to someone, shall we say, less than fully competent, or it could be an actual means to protect yourself.
The additional search space from 62^N to 200^N isn't especially worth worrying about, IMO.
http://msdn.microsoft.com/en-us/library/bb355989.aspx (to cite just one way that these things come into being; someone finds that you can do input validation easily, and they do it, maybe because they're overly cautious, maybe because someone they need to convince is overly cautious, maybe some other reason) IMO, this is not an especially terrible "flaw" in a site.
1. Legacy systems. The system that was built 15 years ago might have limited the field for performance or storage reasons and it was never updated. Or maybe the Palm Pilot app only supports 20 characters in a text field and nobody has the source code but there's still a dedicated bunch of 200 users who do $50,000 in sales every year and nobody wants to piss them off. Or maybe they're just afraid the monster has gotten too big and they don't know what'll break if they change anything. Better to play it conservative so you're not the person who shut a group of users out of the system.
2. Just because. True story: I was working on an internal app for a company years back and I asked my manager if there were any particular password restrictions we needed to honor, any kind of company policies or weird accessibility concerns or something [1]. So what does he do? He emails the marketing stakeholder and asks her what the password rules should be. She doesn't know anything about security, so she concocts something completely arbitrary based on stuff she's seen on other sites. 6-10 characters, at least one number & one symbol, etc. And those were the requirements I had to implement, because that's what the stakeholder wants, even though that was the answer to completely the wrong question.
> if passwords are being hashed, which i guess i would have to believe they are
I wouldn't assume that. Think about a bank where you have call center staff who know a certain customer by name because he calls every Thursday saying he can't remember which of his grandkids' names he used as a password and could you please tell him because the rent is due Monday and he needs to transfer money from savings to checking because his Social Security check is late this month. And so on. You know how old guys are with their stories. You're reading one now. The CSR doesn't want to walk him through the steps of resetting his password over the phone…again. The faster he can get him logged in, the sooner he'll go away.
"We need a way to display that guy's password to a CSR," the head of the department tells the CEO over golf, knowing if he gets the department's average call time under two minutes he gets an extra $100,000 this year. So, the edict comes down from the highest levels of the company that the passwords have to be encrypted & reversible instead of hashed.
Now, this story is completely fictitious, but I've been in similar situations where the all-important call-center & support metrics trumped security. It happens. It shouldn't, but it happens.
Legacy systems. There's almost certainly some ancient backend system that deals with passwords, and can't handle long passwords or certain special characters. I would not assume that bank passwords are being hashed properly.
P.S. I wonder if they were expecting a lot of resets, hence the redesign rollout?