Repository of web services enforcing bad password policy along with emails sent to their Chief Privacy Officers (CPOs) and their responses. Feel free to grab one of these emails and re-send them to put more pressure on these companies to switch to a decent password scheme, or write a new email to a web service not in this list and create a pull request. You can use one of the given templates.
- Is there a limit to the character count of a password?
- Is it prohibited to use any class of characters (lowercase letters, uppercase letters, numbers, symbols)?
- Is the minimum length of a password below 8 characters?
- If a plain-text password is mailed to you, are you forced to change it after your first login (one-time password)?
Opinions vary, especially when it comes to enforcing minimum standards. It is understandable to a certain degree when companies allow their users to choose simple passwords they can remember. It is, however, completely inscrutable to enforce limits to the character classes or number of characters a password may contain. Hence, this is what I consider a "decent" password scheme:
- 8 characters at minimum
- At least one out of each of the four character classes (lowercase letters, uppercase letters, numbers, symbols)
- 128 characters at maximum (or the length limit of the hash function used)
- No character-class restriction (especially no restriction in symbols like the NIST 10 common (the symbols appearing on a US keyboard when holding shift and pressing the keys 0 through 9))
Additionally, I expect web services to take the following measures when storing and handling passwords (a nice guide can be found under [2]):
- Hash them using an up-to-date cryptographic hash function (e.g. bcrypt, Argon2, scrypt, or PBKDF2 not md5 or sha1)
- Use unique salts per password with appropriate lengths for the hash algorithm in use (e.g. at least 64 bits for PBKDF2)
- Use one-time password-reset links instead of plain one-time passwords via email when users use the reset password function.
- Use TLS with up-to-date parameters to secure all login- and session-related tasks on their website.
- Do not prevent users from using copy/paste in password fields. This makes using a password manager with reasonably long and secure passwords a pain.
I recently switched to using a password manager. Upon renewing all my passwords to 64-character random strings I realized how many of the web services I used for years have really bad password policies. After contacting a few of them via Twitter, I realized that many lack the willingness to do something about this. I hope that this repository will motivate more people to create and send complaint letters so as to get more and more companies to rethink their habits.
You can always pick one of these web services that you also use, take the email template and send it to their CPO. If you get a response that differs from the one I get, feel free to let me know, or create a pull request with up-to-date information. That also applies to services reworking their password policies without me noticing.
You can also use the generic mail templates, adapt them to a service you use that isn't listed here, send it, and create a pull request so other people may benefit from your readily-written email.