Password Limitations

scottalanmiller

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

A Former User

@scottalanmiller said:

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

Was.. That's been removed for a good while. They supposedly did it some people wouldn't write it down. Most banks I've been around use Jack-Henry stuff on IBM Power systems. Granted I've only done stuff for credit unions.

scottalanmiller

@thecreativeone91 said:

@scottalanmiller said:

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

Was.. That's been removed for a good while. They supposedly did it some people wouldn't write it down. Most banks I've been around use Jack-Henry stuff on IBM Power systems. Granted I've only done stuff for credit unions.

It's not been long since I was in banking and there were loads of those still around. Loads. And every bank that I know had the same issues, it wasn't unique. And it takes many, many years to phase out old systems. Considering key systems were still running gear and OSes from 1996, switching soon isn't something that happens.

A Former User

@scottalanmiller said:

@thecreativeone91 said:

@scottalanmiller said:

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

Was.. That's been removed for a good while. They supposedly did it some people wouldn't write it down. Most banks I've been around use Jack-Henry stuff on IBM Power systems. Granted I've only done stuff for credit unions.

It's not been long since I was in banking and there were loads of those still around. Loads. And every bank that I know had the same issues, it wasn't unique. And it takes many, many years to phase out old systems. Considering key systems were still running gear and OSes from 1996, switching soon isn't something that happens.

Yeah but that's just because they didn't update the OSes. System V was around until 2004-2006. Seems like they should move to Solaris if they want to keep in Unix systems.

scottalanmiller

@thecreativeone91 said:

@scottalanmiller said:

@thecreativeone91 said:

@scottalanmiller said:

@handsofqwerty said:

@MattSpeller said:

One of the banks I use limits you to 8 digits, no special characters or spaces.

It's.... so wrong.

Because they like insecure passwords?

Eight characters is the standard System V limit. A lot of systems inherited from that.

Was.. That's been removed for a good while. They supposedly did it some people wouldn't write it down. Most banks I've been around use Jack-Henry stuff on IBM Power systems. Granted I've only done stuff for credit unions.

It's not been long since I was in banking and there were loads of those still around. Loads. And every bank that I know had the same issues, it wasn't unique. And it takes many, many years to phase out old systems. Considering key systems were still running gear and OSes from 1996, switching soon isn't something that happens.

Yeah but that's just because they didn't update the OSes. System V was around until 2004-2006. Seems like they should move to Solaris if they want to keep in Unix systems.

Often they cannot because they run hardware that is decades old and does not support anything remotely new.

scottalanmiller

@thecreativeone91 said:

Seems like they should move to Solaris if they want to keep in Unix systems.

That's the most common culprit. Solaris 2.4 is still rampant in the banking world.

Nic

this guide should help:

MattSpeller

@Nic I was going to say there's no amount of Webroot that'll help this but then you posted a good pic and now I feel bad for teasing you.

Nic

@MattSpeller said:

@Nic I was going to say there's no amount of Webroot that'll help this but then you posted a good pic and now I feel bad for teasing you.

That's ok, I'm happy to be teased anytime

handsofqwerty

@Nic said:

@MattSpeller said:

@Nic I was going to say there's no amount of Webroot that'll help this but then you posted a good pic and now I feel bad for teasing you.

That's ok, I'm happy to be teased anytime

That could have multiple meanings...just saying...

tonyshowoff

A lot of places restrict the allowed characters because they're morons who don't understand SQL injection and think it's a way to avoid it. Ideally any character should be allowed that can be transferred over HTTP without breaking the hell out of things, which is everything which can be properly encoded.

I do trim passwords though, something old school jackasses think is bad, because after all, if there's a space at the beginning or end of a password, or a newline/return character, it must be on purpose, despite the fact that 99.9999999999% of the time it's because someone copy/pasted the password from an email or something and accidentally added on the space/\r/\n. Of course you can make the argument of never sending a password in an email (and we don't), but tell that to users who will do it all day long.

I also wrote a method to deal with "easy" passwords, things like repeating words, pattern recognition for phone numbers, birthdates, etc.