Poor password policies put users at risk

It's not exactly new, and something that almost every Web Developer knows ... or at least should do.

Poor password policies put users data at risk; and the larger (or more high profile) the product, the more of a target you become. Especially if you are potentially storing anything that is profitable for a crook.

So why do so many large, high profile, websites have poor password policies? It's not technical thats for sure. It can only be laziness or poor standards (or pressure) by the development teams behind them.

After the recent breach that impacted over 2000 Tesco Customers (a breach that Tesco are still saying was on OTHER websites, not theirs - a breach that ended up with my own account being locked (even thought it was not on the breached data list that was published on PasteBin) - a point that I still have not had a clear, satisfactory response from Tesco about), I decided that I'd work through a few of the websites I use and see what their password policies were like.

Many were pretty good - allowing you to use long, complex passwords. However, there were some interesting "issues" that I found:

British Gas

Required an alphanumeric password (no symbols), with a length of between 8 and 20.
Oh wait, no it's not - try and use a 20 character password and it fails saying it needs to be 16 max. Poor design / UAT work here.

HMRC

Required an alphanumeric password (no symbols), with a length of 8 to 12.
Rather worryingly, the passwords are case insensitive.

Confused.Com

Required an alphanumeric password (no symbols) with a length of 6 to 20.

O2

Required a password of between 7 and 16 characters.
Limited symbol set accepted.

Tesco

Password length of 6 to 10 characters (what on earth?!)
Reported as being case insensitive but didn't test this here.
Alpha numeric only - no symbols.

 

As you can see, Tesco is by far the worst offender that I've encountered on my short wander around on the internet - but I'm absolutely amazed about the HMRC's policy - considering what they secure, that is awful.

There is no excuse for poor password management / policies, I just wish it didn't take people's information being leaked into the public domain before companies start to pay attention.

 

If I get time, I'll have a look at some other sites - in the meantime, I'd strongly recommend people practice good password management and use a different password on each website (there are tools such as KeePass and LastPass to help you keep a note of them - securely - so you don't really have an excuse).

I'd also recommend plugging your email address into https://haveibeenpwned.com/ - a great service by Troy Hunt.