Home / Seriously Big ISP?

Seriously Big ISP?

Submitted by Jason on Wed, 12/29/2010 - 15:01

Okay, I just had a flashback to the 1990's moment. I've been a customer of [INSERT BIG BROADBAND ISP NAME HERE] for quite a while, over 7 years actually. I signed up with them because they were, and still are, the only broadband game in town. This was back in 2003 when I left the military and re-joined the civilian world. I was never given (to my knowledge) the credentials for the email associated with the account. It never bothered me, as I prefer to handle my own email arrangements and not have it tied to the ISP.

So I'm recently looking to upgrade my speeds to the next tier; lo-and-behold they want me to log in using that account information. Ugh! But, hey! They provide me with all the tools to be able to get that information. Within minutes I have the username/password for the master account in my hands. So I log in, and being the good security conscious web geek that I am, I promptly am off to change the overly simplistic password that was assigned to me.

Being a web app developer, I know more than a little about password security on the net, and I'm a longtime user of KeePass. I like to use really nasty looking passwords like "];0};X5M+^+4ZO{r-Y3>". So I open up KeePass, create a new entry, and then have it generate a new password for me. I copy and paste it to the change password page for my account, click the button, and...BAM! It spits back an error message. Apparently my default password length of 20 is too long. I can't have anything shorter than 8 characters or longer than 12.

Wait...what?

Seriously, limiting your users to 12 character passwords? Seriously? Come on, even Windows NT let you have up to 14. Okay, I've got no choice here, so I generate a 12 character password. Paste, click...BAM!

More red text. Now it seems that the special characters (read anything not a letter or number) are not allowed. So I'm required to cut my password security down even more.

Has the world not learned anything over the last few years? Hell over the last few months? Gawker Media anyone? I'm sure as hell not going to be tying this account to *any* services. I can't ensure proper password security.

The worst part of this is that the ISP is the one enforcing the restrictions on this. The technology company that should know better. What's worse is that the restrictions being enforced make no sense. Use a suitably modern hash and you don't have to worry about storing a copy of War and Peace in the database for a password. The output is a fixed length. Salting the hash makes it even stronger when standing up against a brute force attack against leaked databases, the kind of attack that Gawker recently experienced.

Seriously, if there was any ind of alternative for broadband internet service in the area, this is the kind of thing that would make me drop a service provider. If you care so little about your customers that you not only allow them to chose insecure passwords, but you *force* them to, you should not have the business of someone who knows better.