Shame On Short Passwords
Saturday, November 3, 2012
Friday, December 30, 2011
Kohls.com
I recently signed up for a Kohl's credit card. Correction, my wife recently signed me up for a Kohl's credit card to get 20% off of some Christmas presents. I got the bill in the mail today and wanted to pay it online. "Sign up for My Kohl's Charge to view and pay your bill online" it said. "Perfect." I thought, "This way I don't have to count on the mail and be all old-fashioned."
To my dismay the website was straight out of 1997. "We can have blinking text? Wow!"
Worse was the fact that your password is limited to 8 characters! And NO special characters! To their credit, it must be at least 6 characters and not the same as your username, but come on.
Let's go over to how secure is my password and see the difference between 6 and 8 characters.
6 random letters and numbers with varied case: 3 minutes to hack
8 random letters all lower case: 13 minutes to hack
8 random letters all lower case with numbers: 3 hours to hack
8 random letters and numbers with varied case: 10 days to hack
So at the very best your password would take 10 days for an average PC to guess. That's the best security Kohl's wants you to have. Remember, you are storing credit card and checking account information behind that password, and at most they want a hacker to have to spend about 10 days hacking per customer? Just being able to put special characters would move this time into dozens of days per customer. Allowing for a much longer password would move the time into years and possibly millennia.
To my dismay the website was straight out of 1997. "We can have blinking text? Wow!"
Worse was the fact that your password is limited to 8 characters! And NO special characters! To their credit, it must be at least 6 characters and not the same as your username, but come on.
Let's go over to how secure is my password and see the difference between 6 and 8 characters.
6 random letters and numbers with varied case: 3 minutes to hack
8 random letters all lower case: 13 minutes to hack
8 random letters all lower case with numbers: 3 hours to hack
8 random letters and numbers with varied case: 10 days to hack
So at the very best your password would take 10 days for an average PC to guess. That's the best security Kohl's wants you to have. Remember, you are storing credit card and checking account information behind that password, and at most they want a hacker to have to spend about 10 days hacking per customer? Just being able to put special characters would move this time into dozens of days per customer. Allowing for a much longer password would move the time into years and possibly millennia.
Intro
It's distrubing to me how many websites have a length limit on passwords. I have tried contacting the companies only to be dismissed. This blog is my attempt to shame them into better security.
Subscribe to:
Posts (Atom)