A WIP list of companies who engage in bad password practices
Update (3/14/2018): Happy New Year again! It has been a while since I’ve gone through and updated passwords, but Paypal STILL has not updated their character maximum from 20 characters since before my update in July 2016, just 2 updates ago.
Update (3/2/2017): Happy New Year! Geico is not only limiting to 16 characters, but their entropy calculator is broken and not working correctly. Enjoy!
Update (7/20/2016): As much as I hate Paypal, they are looking clean nowadays. Too bad their passwords are limited to 20 characters. Oh well.
Update (3/31/2016): So, I’m in the mood for some Netflix and chill, when suddenly a wild password box appears!
50 characters is a weird number, and, while more secure than, say, 16, still suggests that Netflix is doing something improperly behind the scenes.
Update (02/13/2016): While no error message exists and thus I did not take a screenshot, coastal.com’s registration page only allows for a maximum of 16 characters in your password.
Update (11/13/2015): livejournal.com, one of the oldest services I have used on the Internet, has a better-than-most password maximum character limit of 30 characters, and some fairly reasonable requirements, but it still has a maximum character limit.
Meanwhile, Navy Federal Credit Union’s standards are incredibly poor in comparison, having a password maximum character limit of 16 characters. Jesus Christ!
Update (10/19/2015): usajobs.gov’s account password requirements…still don’t understand why the limit on number of characters, or the limited subset of allowed special characters…
Update (9/30/2015): Just confirmed that Blizzard’s Battle.net account registration / password reset has a maximum limit of 16 characters.
Update (7/21/2015): Just found out that the GRE new account registration page has a maximum limit of 16 characters.
Update (6/7/2015): Just found out that League of Legends has a maximum limit of 16 characters while signing up for an account. In addition, the password field on the signup form does not have a character limit. This is a minor point, but should be considered regarding unification of engineering processes in the design phase.
Update (5/25/2015): Found out that StumbleUpon has a maximum limit of 16 characters while signing up for an account. No warning. No informational text. Just a hard limit set in the textfield.
In the last few years, I’ve become interested in computer security and practical ways to maintain control over personal information. One of the simplest ways to do this is to use long passwords, usually composed of a passphrase that allows for a high amount of information entropy while being easy to remember. The passwords that I use are often 25+ characters…
That is, when websites allow for me to use them.
I decided late in January of this year, a few days after I was let go from my previous employer, to begin cataloging websites and companies that use bad password practices, such as having a maximum password length! I’d like to focus on maximum password lengths in particular, as this disrupts my personal ability to maintain a reasonable level of security with the services that I use regularly. Many of these companies are public-facing corporations with very large user bases. Companies that use maximum password lengths, in particular very small ones such as those I am about to list, not only open themselves up to attack, but deserve to be punished for failing to incorporate reasonable security practices in their organizations.
And now, for the list:
Comcast: Maximum length of 16 characters
Starbucks: Maximum length of 15 characters
Virgin Mobile: Maximum PIN length of 6 digits
Geico: Maximum length of 16 characters
connect.myflorida.com: uses SSN and maximum PIN length of 4 digits
H&R Block: Maximum length of 15 characters
Verified By Visa: I don’t have an image for this one, and this might be bank-specific, but the version I’ve used has a password maximum of 10 characters.
Autodesk / Autocad 360 for Android: Maximum length of 12 characters
I’d like to consider this list a work in progress, so if you have any contributions that you’d like to see documented, please let me know by any of my available media (Facebook, Twitter, Gmail, IRC, etc), preferably with a screen shot from the website as proof, and I’ll get them up here as they become available.
I think at this point, you get the picture.
We are badly in need of a world-wide revolution in many domains, and this being just one of them.
It is 2015. Why the fuck does anyone have password length maximums?