Hey – continuing on our theme, here is another fun article from Shark Tank.
No Good Password Goes Unpunished
ShareConsultant pilot fish is paying his bills online, but for some reason his health insurance company’s website won’t let him log in.
“I tried twice, and it rejected either my user name or my password both times,” fish says. “It also warned me I’d be locked out after a third try, so I waited a few hours and tried again. Still no luck.”Fortunately, fish is able to find a website-support number on the incurance company’s public website. After a few minutes on hold, he gets a support rep who requests his policy number and then asks what the problem is.
Fish explains that he’s trying to log in with the same user name and password that worked when he paid his bill the month before, but now it’s not working. Is there a known issue on your system, or is there a problem with my account? he asks.
There is an issue that might be causing the problem, support rep tells fish. It seems that at the start of the month, security was switched from supporting passwords between six and eight characters long to supporting passwords that are up to 15 characters, and customers with the longer passwords are now having problems.
Fish assures the rep that his password is more than eight characters long.
“Try logging in with just the first eight characters,” rep says.
Fish does. It works. Then, once he’s logged in, the support rep walks him through changing his password from that eight-character version to his full password.
And before he hangs up to finish paying his bill, fish thanks the support rep and wishes her luck dealing with all the other customers who chose long passwords because they thought they’d be more secure.
“But they were throwing away anything in a password beyond eight characters,” grumbles fish. “And then after the security upgrade, the people who had longer, better passwords were the ones who were punished for it.
“At least they used bounds checking to confirm input length…”
OCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com