QUOTE(petirbuas @ Apr 23 2014, 02:03 AM)
I think the actual concern is, why they need to be limited by 8 character to begin with.
Gee I hope they don't store my password in plaintext or db table somewhere
But come to think of it from user facing web application perspective,
- Reduce bruteforce & DOS attempt by allowing only certain dataset type & size as input
But my guess would be that its a decision by 'slightly' knowledgeable management,
- All other precedent bank does that. They seems to be ok and compliance with <xxx>, so why not?
plaintext not allowed by regulators. BUT they have relation to you-know-who so anything can happen
i don't have a CIMB account to test but brute force is generally disallowed. account will be locked after too many failed attempts
the general perception of bank security is fairly wrong IMHO, only applies to bigger banks though
QUOTE(alexng2208 @ Apr 23 2014, 09:37 AM)
8 characters too limited
should be :
1. 64 characters
2. not more than 2 repeating
3. must contain equal number of alphabets, special alphabets, numbers, symbols, uppercase and lowercase
4. must not be a word in any language
5. must be changed every 3 days
is that good enough for you?
before answering, think of performance issues that comes with stronger encryption. safer vs slower, very delicate balance
3) dumbest suggestion
4) impossible:
a) where will you find such a dictionary for all languages?
b) if the checking is done on the browser, you will need to load the dictionary as well?
c) if not b, then you will have to send the clear password to the server --> bigger fail
5) good luck with that. customers will leave faster than you can read this
QUOTE(dkk @ Apr 24 2014, 06:46 AM)
But why only 16. Why not 200 or 1000? As long as they want. This allows people too use passphrases instead of passwords. Those are easy to remember, long and harder to crack.
"Jack ate 7 bananas on 23 April" is easier to remember than "jet%JU.3"
Nobody is going to remember the later, and they will probably need to write it down somewhere. Sticky notes stuck on the computer screen compromises security as well.
passphrase is good concept but not yet caught on
again, performance issues to be considered
QUOTE(Prodigenous Zee @ Apr 24 2014, 10:32 AM)
I think some of you are missing the point here. I'm not talking about good password practices, I'm talking about whether there are any reasons for a system putting limits on users' passwords.
Thank you for your clear answer. If the passwords can be sent back to the user, it might also mean that the passwords are just encrypted right? As long as the websites stores the encryption key then it shouldn't be a problem decrypting the password to send back to the user.
let's say that the textbox allows unlimited character and the webpage designer is stupid enough NOT to filter characters, it is possible to inject codes to perform malicious activities
good practice of password storing is 1 way hash ie cannot retrieve the password even if you have the encryption key. if it is like how you suggested, ANYONE who has the encryption key will be able to retrieve ANY password