I was changing my Chase account password online when I came across this mess.
You idiots still don’t get it
I can understand this limitation for usernames, but passwords too? Clearly, Chase thinks it knows better than people who want to take a proactive approach to their passwords.
Between bunny123, MonkeyWrench5875 and cNF7k=RsF$M4p which do you think is the more secure password? Hint: The one not likely to show up pre-hashed in a Rainbow Table.
This forced dumbing down is just because whoever wrote it, clearly didn’t bother with or wasn’t able to put it proper filtering to make sure there’s no SQL injection taking place.
I don’t believe there should be any limits up to maybe 600 characters since hashing is universal. I should be able to write a password in Kanji or Sanskrit if I so please and maybe even an entire sentence with numbers. Why in the name of all that is holy would you be this lazy with something simple like a password?
Is it any wonder that financial institutions are being targetted by hackers as ruthlessly as they are? They know the banking world is full of these. If you’re trying to advise customers with security procedures, why would you put in this glaring shorticoming? Whoever came up with this limiation should be fired on the spot. If your banking software is as archane as your security, then what else is hiding in there?
If you want to create passwords that are impossible to guess, yet easy for you to remember, try out my password generator. You can take a phrase like “Scooby Doo Where are you” and turn it into a password like s19D4@w23a1$y25 with all the bells and whistles turned on. Make passwords out of lines from out-of-print books, some secret shared with a loved one or even a phrase in another language transliterated into English (my favorite technique).
Of course, no secure password in the world will help you if the institutions you depend on aren’t willing to accept them for stupid technical reasons.