The blog of freelance Designer & Developer, David Rice.
25 Aug 2007
One thing that REALLY annoys me about shopping online is that little verified by visa logo, whenever I see it I cringe cause I know I’ll have to reset my password in a couple of clicks time.
It pisses me off cause there is no choice in the matter, if you have a VISA card this is automatic. Also because the way the HTML is constructed Safari’s password keychain functionality doesn’t know to store it so I have to re-enter every time I come to one of these checkouts.
Now, this wouldn’t normally be a problem. But for a company apparently SO conscious about security to use the Verified by Visa system they have decided to take a really idiotic move and exclude non alpha numeric characters from the password you are allowed to enter. So just to break it down, here are the maximum number of permutations required to guess a password (that up carret represents to the power of);
- Allowing any ASCII character in the password = MAX LENGTH ^ 128
- Allowing only alpha numeric characters = MAX LENGTH ^ 36 (26 letters + 10 numbers)
Okay so that’s not actually true, cause you would need to sum of the guesses of each permutation for each password length just like the following few lines of ruby do.
MAX_LENGTH = 32
(0..MAX_LENGTH).inject{ |sum,n| sum+n**128 }
(0..MAX_LENGTH).inject{ |sum,n| sum+n**36 } So as you can see the Halifax way of doing things is kinda NOT as secure.
So being security minded, any of the potential passwords I would usually choose always have a couple of extra characters in there to increase it’s strength. However I have to make exceptions for Halifax. This leads to forgetting the password and having to RESET EVERY TIME! so annoying.
But this leads me to the question, if they are doing something as stupid as this. Are they also storing my password in clear text?
I’d like to see Halifax either;
- Sort out the usability so it works with password keychains, these are secure things don’t you know
- Don’t be stupid, and change your restriction on password formats
- Or just F*** off, please k? thx.
- email me@davidjrice.co.uk
- phone me on +44 7590 538 303
If you need help with the Design, Build, Management, Hosting or Support of your project do get in touch, I'd love to hear from you!
Recently
- 22 Apr » HTML5 Validator.nu ruby gem
- 28 Sep » ActiveMerchant Support for Realex
- 09 Sep » Getting Real with Realex
- 04 Sep » Back in Black
- 25 Nov » Rails Session Storage Cookie Vs Active Record
- 06 Jun » Get Exceptional
- 21 Apr » git and github ftw
- 19 Apr » Co-Working Belfast, Put Your Money Where Your Mouth Is
- 28 Mar » Co-working Belfast Plan
- 26 Feb » Do Not Buy an Apple AirPort Extreme Base Station, They Crash and Burn
- 13 Feb » Ssh, Presentation in Progress