-1

I am aware of a bank (redacted for obvious reasons) that has the following password policy.

  1. Only English alphanumeric characters
  2. Min of 8, max of 14 characters
  3. No special characters (ex. !@#$%^&* are all forbidden)
  4. Passwords must be changed every year
  5. Account lockout after 4 bad attempts

What are the specific problems with this policy and how would a would-be bad-actor theoretically attack such a target?

I already sent them a comment arguing that their policy is terrible, especially the 14 char limit (if they use bCrypt they can use up to 72 bytes, IIRC) and the fact that they only allow English alphanumerics instead of any ASCII/Unicode char, hoping they will change their policy to embrace more standard rules.

schroeder
  • 129,372
  • 55
  • 299
  • 340
I Stand With Israel
  • 99
  • 3
  • 1
    You can find existing answers to each of your points on this website. – A. Hersean Jul 21 '21 at 09:48
  • The changing password requirement seems to me the least problematic of the policies mentioned. – I Stand With Israel Jul 21 '21 at 10:37
  • 1
    It's not even that bad, many banks are way worse (take a look at some of the questions in the related list). You can get ~83 bits of entropy with a random alphanumeric 14 char password. However 14 chars precludes passphrases. – nobody Jul 21 '21 at 11:39
  • https://security.stackexchange.com/questions/33470/what-technical-reasons-are-there-to-have-low-maximum-password-lengths and https://security.stackexchange.com/questions/17192/why-disallow-special-characters-in-a-password and https://security.stackexchange.com/questions/197844/account-lockout-to-protect-from-brute-force-doesnt-it-open-up-vulnerabilities – schroeder Jul 21 '21 at 20:07
  • Short answer: reducing the number and type of characters used makes it easier to brute force passwords. Locking out accounts makes it possible for an attacker to lock out legitimate users from their bank accounts. – schroeder Jul 21 '21 at 20:10
  • Maybe you should add: 6) No 2FA in addition to password, at least you are not mentioning 2FA, which could alleviate some weaknesses in the bank's policies.

    The security implications are that if your password is compromised, there seems to be no additional hurdles in place, which would make the job difficult for a thief.

    Regarding 5) Account lockout after 4 bad attempts: if they just block the IP address instead of the account itself it's not that bad unless the IP ban is permanent.

     – Kate Jul 21 '21 at 20:10
  • Yup. No 2FA. Just an account lockout based on bad attempts – I Stand With Israel Jul 26 '21 at 07:14

1 Answers1

1

Rule 1 is typical for character set interoperability - Unicode characters may be encoded in UTF-8, Latin-1, or any other unspecified encoding.

The minimum value for rule 2 is obviously for providing minimum password strength, whereas the maximum is to ensure server processing speed (OWASP recommends 64 as a maximum, specific applications may have additional limits due to historical reasons).

Rule 3 is unwarranted. My wild guess would be that their server is still using string concatenation for constructing database queries, or that their mobile app has special keyboard that just doesn't support special characters.

Rule 4 is close to reasonable, but not fully.

A reasonable person would deem rule 5 necessary with the maximum 14 character limit.

DannyNiu
  • 374
  • 2
  • 16