Overly tight restrictions on what you can use for a password raises the little red flag in the back of my mind. Sadly banks are some of the worst at this. I recently came across the password policy page for Wells Fargo, which isn’t nearly the worst I’ve seen:
Your password:
– Must be 6 to 14 characters.
– Must contain at least one letter and one number.
– May not contain nine or more numbers.
– May not be identical to your Username.
– May not repeat the same number or letter more than 3 times in a row.
– May not contain more than 3 sequential numbers or letters (such as ‘1234’ or ‘abcd’) in a row.
– May contain special characters (such as @, %, &, #).
There are several things to like about this. Avoiding sequences and repetition is good. I wonder where the requirement to use less than 9 numbers comes from.
The major pain point in this list is limiting the password length to only 14 characters. Any time I see a maximum length that small I fear they are storing it in plain text some where. Assuming reasonable hashing methods a maximum length closer to 70 characters would be significantly better.
5 replies on “Wells Fargo Password Policy”
I’ll bet the 9 or more number restriction is to prevent people from using phone numbers in their passwords.
Good point, I could totally see that being a problem.
As a matter of fact, any constraint on the size means that they’re storing the actual value somewhere… because hashes have constant sizes, whatever the input.
In my dream world, the browsers would hash passwords before they send them so that passwords never leave my devices.
Not exactly. For instance, if they used bcrypt, then limiting it to 72 characters would be a good idea ( because bcrypt only uses the first 72 ). You could hash the password with something else first and then feed the hash of the password to bcrypt to get around that limitation. But if you were using bcrypt directly then I’d be fine with a 72 character limit.
In general, allowing for an unlimited size for a password probably isn’t a good idea either. Do you really want to feed a 15 MB string into your password hashing algorithm? Instead, a hard limit of something like a 1,000 characters, no matter what hashing system you are using, would be reasonable.
I just discovered that Wells Fargo passwords are not case sensitive.