It still amazes me that after all the education over the years that there are still so many poor password policies out there. Anyone who has ever filled out a web form likely has run into these overly complex and frustrating passwords policies.

But sometimes a password policy is an indication of a bigger problem. For example, today I was setting up an account and entered a very strong password and was presented with the following error message:

Apparently what caused the error is that I used a period in my password and this policy only allows for numbers and letters. But the bigger question here is why doesn’t the policy allow for numbers? Why does the password have to start with a letter? And why is there a limit of 20 characters?

The reasons why these concern me is that they sound more like technical limitations rather than being motivated by strict password security. Normally when you store a password, you first create a hash of the passsword and then store the hash. The nice thing about hashes is that being hexidecimal values you don’t have to worry about the security risks of special metacharacters and symbols. You also don’t care about maximum length because the hash is always a fixed length, whether your password is 10 characters or 100 characters.

However, if you are worrying about non-alphanumeric characters and the password length, that suspiciously sounds like they are storing the password itself, not a hash of the password. Being a healthcare orginazation this is a big deal. And although we like to think that most big companies have security teams that prevent things like this, the recent announcement that Sony stored passwords in plaintext tells us otherwise.

Secret Questions
A little lower on the page I ran across another problem, they are letting the users select the secret question as shown here:

The problem with this is that most users are not qualified to come up with quality secret questions. At best you will see questions asking for their favorite color (how many colors are there really?), their dog’s name (just look on their Facebook profile), or where do they live. To make matters worse, a shockingly high number of people will actually put the answer as the question itself, as a hint. If you disagree with me on this and have a site that lets users set their own secret questions, check your database and you will be surprised how bad they can be and how often they reveal the answer in the question itself. This is one of those little secrets that hackers have known for years.

Finally, the worst offense is the way in which this site lets you recover your password:

If you click on the Forgot Password link, you are shown the above form which lets you set a new password if you know the secret question. The problem with this is that this makes the secret question as powerful as the password itself, because just knowing the answer lets you set a new password. Normally, answering a secret question will initiate a process whereby the registered email account receives a message that a password reset was initiated and that they need to click a link to finish the process.

The reason we do this is because secret questions are not secure. The information in a secret question is something that is easily discoverable, has a limited number of possible answers, and is a fact that will never change. We can only partially compensate for these problems by sending an e-mail notification to the user and requiring a click through.

In this particular case, the user sets their own secret question which has a high chance of being insecure and then all that is needed to set a new password is to be able to guess that answer, no email access required.

The sad thing is this company has already appeared in this database once before, I hope it doesn’t happen again, especially not with my medical information.