MBNA password requirements.

debiantriage's Avatar

debiantriage

19 Sep, 2017 07:46 PM

Here we can read

While we're encoding a password, we have one final problem to solve: password policies. Most websites nowadays have taken it upon themselves to restrict the kinds of passwords you can use. The point is usually to keep you from using passwords that are too weak, but these policies unfortunately often include rules that are detrimental for the strength of passwords (such as "your password MUST contain a number, it MUST start with a letter, and it MUST NOT be longer than 6 characters. Oh yeah, and it MUST NOT contain quotes or anything fancy because we strip that since we don't know how else to sanitize data against SQL injection while we store your passwords in plain text." (did you detect a little rant there?).

Any objection to my joining in the rant? MBNA (in case you do not know, a banking concern) has a password policy stating in part

8 to 20 letters, dots [.] or dashes [-], but no spaces or symbols, e.g. &/@£.
Must contain letters and numbers, with no more than two consecutive characters.

20 characters is ok for me with with mpw but I do not think mpw will oblige by using only "." and "-" as special characters, even if I speak with it nicely.

So, suppose I take the password generated by mpw and substitute any MBNA forbidden characters with "." and "-" ? (Realising, of course that I am departing from the simplicity of use aspect of mpw). How does that affect the entropy of the resultant password? I'm only after an indication of whether it is significant or not. The stated entropy of a maximum security password is nearly 124 bits. I am sufficiently attracted by that to use such a password with all my sites.

I might email MBNA to see what their canned response is. Password1 fits their rules. I could ask their opinion on that too. :)

Cheers,

Brian.

  1. Support Staff 1 Posted by Maarten Billemo... on 19 Sep, 2017 08:32 PM

    Maarten Billemont's Avatar

    Generally, "basic" password is the best fall-back if Long is incompatible. It is an 8-character alphanumeric with an entropy of ~ 42 bit.

    To really know what kind of entropy you should be looking for, you need to state what kind of attack you're trying to defend against.

    Are you protecting against a person trying to guess your password on a website? Are you protecting against a hash reversal attack? Is it salted? Is the salt known? Are you protecting against a brute-force network attack on a login page? Are you trying to protect against an intrusion in the website's company servers? Is there a two-factor involved? Is there a brute-force countermeasure involved (eg. max password attempts)? Etc.

    The type of attack will give you a clear understanding of what your attack's bottleneck is and how wide it is.

    Only after you know how wide your attack's bottleneck is, you can understand what kind of entropy requirement is necessary.

    My general recommendation is that you shouldn't do too much effort to maximize a site password's entropy, since there are so many attack angles on this password that password entropy is simply powerless against. Just make it "as good as you can get" and instead focus on compartmentalization: don't let one compromised account get you into too much trouble. Don't put all your eggs in one basket.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac

Recent Discussions

15 Nov, 2017 01:51 AM
21 Oct, 2017 05:17 PM
18 Oct, 2017 08:29 PM
17 Oct, 2017 02:59 AM
02 Oct, 2017 11:56 PM