Stupid Credit Card Security Rules

I have no fear of buying products online. Part of the drill is to jump through a few hoops for authentication. I understand that.

However, I can’t understand why credit and debit card companies, Visa in this case, put tight limits on passwords. I get the need for numbers and letters. Good. I don’t get the limitation of a password to between 6-8 characters only.

The longer the password, the more secure. Does Visa not care about security enough to allow a longer password?

Most people use two or three passwords, depending on the type of site. Worthless sites you have to log in to to see jokes or funny pictures, or a white paper if for work, gets the shortest, easiest to remember password possible. Sites involving money get a nice long, complicated password.

But not if you’re using Visa’s online credit verification service. Passwords between 6-8 characters only, thank you.

Worse, I didn’t even sign up for this verification, it just appeared when I ordered something online. If you’re going to force me to put in my card information a second time, after I gave it to the online store, at least let me pick a password that’s long enough to be useful.

This entry was posted on Tuesday, October 28th, 2008 at 11:37 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to Stupid Credit Card Security Rules

  1. Josh says:
    October 28, 2008 at 7:01 pm

    Whenever I see a “maximum password length”, I am always wary because that means that either:
    – The web/data team doesn’t know how to store a password securely, or
    – The web/data team doesn’t know what they’re doing.

    A properly-stored password is run through a one-way hashing algorithm that securely encrypts its contents into a fixed-length string. Whether your password is your pet’s name, your wife’s social security number, or even the entire text of _War and Peace_, rot13()’d, it all hashes down into a string of identical length.

    Since you can simply run the same algorithm on User input when processing a login attempt, you don’t need the cleartext password. Ever.

    The next time you see “maximum password length”, just remember that if a hacker were to compromise that website’s data server, he likely could get access to your password. Choose your password accordingly (or pick a different site where they know how to safeguard your data!).

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: