I have no fear of buying products online. Part of the drill is to jump through a few hoops for authentication. I understand that.
However, I can’t understand why credit and debit card companies, Visa in this case, put tight limits on passwords. I get the need for numbers and letters. Good. I don’t get the limitation of a password to between 6-8 characters only.
The longer the password, the more secure. Does Visa not care about security enough to allow a longer password?
Most people use two or three passwords, depending on the type of site. Worthless sites you have to log in to to see jokes or funny pictures, or a white paper if for work, gets the shortest, easiest to remember password possible. Sites involving money get a nice long, complicated password.
But not if you’re using Visa’s online credit verification service. Passwords between 6-8 characters only, thank you.
Worse, I didn’t even sign up for this verification, it just appeared when I ordered something online. If you’re going to force me to put in my card information a second time, after I gave it to the online store, at least let me pick a password that’s long enough to be useful.
Whenever I see a “maximum password length”, I am always wary because that means that either:
– The web/data team doesn’t know how to store a password securely, or
– The web/data team doesn’t know what they’re doing.
A properly-stored password is run through a one-way hashing algorithm that securely encrypts its contents into a fixed-length string. Whether your password is your pet’s name, your wife’s social security number, or even the entire text of _War and Peace_, rot13()’d, it all hashes down into a string of identical length.
Since you can simply run the same algorithm on User input when processing a login attempt, you don’t need the cleartext password. Ever.
The next time you see “maximum password length”, just remember that if a hacker were to compromise that website’s data server, he likely could get access to your password. Choose your password accordingly (or pick a different site where they know how to safeguard your data!).