DAVID RICE

Software Developer

+44 (0) 7590 538 303

21 Ormeau Avenue
Belfast, Northern Ireland
BT2 8HD

Halifax Verified by Visa, Just F*** Off

25 Aug 2007 {View Comments}

One thing that REALLY annoys me about shopping online is that little verified by visa logo, whenever I see it I cringe cause I know I’ll have to reset my password in a couple of clicks time.

It pisses me off cause there is no choice in the matter, if you have a VISA card this is automatic. Also because the way the HTML is constructed Safari’s password keychain functionality doesn’t know to store it so I have to re-enter every time I come to one of these checkouts.

Now, this wouldn’t normally be a problem. But for a company apparently SO conscious about security to use the Verified by Visa system they have decided to take a really idiotic move and exclude non alpha numeric characters from the password you are allowed to enter. So just to break it down, here are the maximum number of permutations required to guess a password (that up carret represents to the power of);

  • Allowing any ASCII character in the password = MAX LENGTH ^ 128
  • Allowing only alpha numeric characters = MAX LENGTH ^ 36 (26 letters + 10 numbers)

Okay so that’s not actually true, cause you would need to sum of the guesses of each permutation for each password length just like the following few lines of ruby do.

MAX_LENGTH = 32
(0..MAX_LENGTH).inject{ |sum,n| sum+n**128 }
(0..MAX_LENGTH).inject{ |sum,n| sum+n**36 }

So as you can see the Halifax way of doing things is kinda NOT as secure.

So being security minded, any of the potential passwords I would usually choose always have a couple of extra characters in there to increase it’s strength. However I have to make exceptions for Halifax. This leads to forgetting the password and having to RESET EVERY TIME! so annoying.

But this leads me to the question, if they are doing something as stupid as this. Are they also storing my password in clear text?

I’d like to see Halifax either;

  1. Sort out the usability so it works with password keychains, these are secure things don’t you know
  2. Don’t be stupid, and change your restriction on password formats
  3. Or just F*** off, please k? thx.
«