What's wrong with Password Policies

Anoop pointed us to the new password policy that India’s National Stock Exchange (NSE) insists trading websites follow. According to ICICIDirect, one of the sites affected, the password policy requires:

• You will have to change your password compulsorily every 14 calendar days. - On login after 14th day from your previous change of password, you will be taken to the “Change Password” screen.
• The New password cannot be the same as the immediate previous password.
• The password cannot be the same as your User ID.
• The password will have to be alphanumeric, and preferably with one special character.
• Special characters that can be used are ! @ # $ % ^ & ( ).
• Your password must have minimum 8 characters and not more than 12 characters.
• If you enter an erroneous password on three consecutive occasions, your account will get locked.

It’s not just the obvious flaws in this policy that irk me. The focus on the password policy seems misguided.

First, the flaws…

1. 14 days is too frequent to insist on a password change. Discomfitted users will figure out workarounds, and those workarounds are quite likely going to be insecure. [A sticky on the desktop with the latest password?]


2. Insisting on a password history of just “immediately previous password”. That already suggests a workaround. A user could just swap between two favourite passwords every fortnight. And no one’s safer.


3. Account lockout in 3 failed attempts - an adversary could lock out users en masse by guessing “wrong passwords” with an automated tool.


4. A max length limit of 12 characters. Length matters more than complexity, why put an upper limit to length?


5. The policy denies spaces (“blank spaces”). But longer passwords are easiest to create with spaces. Though the jury is out on the benefits of passwords vs passphrases, there’s no real reason to deny users the chance to use “spaces” in their passwords.

Enough quibbling. The flaws are not what really irk me.

Passwords are one of the weakest links in web apps. Instead of a better, more complex password policy, I wish the Exchange insisted the trading sites follow better practices to make life safer.

Here’re some steps I’d love to see the Exchange recommend to trading sites:

1. When users log in, display the time and location of their three previous logins
2. Go ahead and show them their last 3 transactions too, they will remember better
3. Place a prominent link to let users report suspicious transactions
4. Use a CAPTCHA when a login attempt fails, don’t lock anybody out!
5. Monitor the application for suspicious logins - eg. large volume of logins from the same IP
6. Require trading sites to warn users not to trade from publicly shared computers
7. Explicitly allow users to use spaces in their password :)

Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.

Add yours.closed for this post.