Notices

Post Reply  
 
Thread Tools Search this Thread
22-09-2020, 15:41   #1
p to the e
Registered User
 
p to the e's Avatar
 
Join Date: Mar 2007
Posts: 2,006
Eir: Password must be between 6-10 characters
Maybe this is more of a web development thing I'm trying to figure out the reasoning behind this. The only thing I can think of is it is something they inherited from Meteor and are reluctant to update. I haven't logged into my eir account in ages so I tried to reset my password and got a notice that "Password must have at least 1 letter, 1 number and length must be between 6 - 10 characters". See image attached
Attached Images
File Type: png 2020-09-22 15_39_21-Enter new password.png (13.6 KB, 42 views)
p to the e is offline  
Advertisement
22-09-2020, 15:51   #2
denartha
Registered User
 
Join Date: Nov 2010
Posts: 7,778
What are you asking exactly?
denartha is offline  
22-09-2020, 15:52   #3
p to the e
Registered User
 
p to the e's Avatar
 
Join Date: Mar 2007
Posts: 2,006
Sorry. Is there a reason the number of characters is limited to between 6 and 10?
p to the e is offline  
22-09-2020, 18:03   #4
denartha
Registered User
 
Join Date: Nov 2010
Posts: 7,778
Quote:
Originally Posted by p to the e View Post
Sorry. Is there a reason the number of characters is limited to between 6 and 10?
OK. Short answer is I don't know. Perhaps due to some legacy system or hardware they are using. I did a Pen Test for them a few years ago and were still using MD5 hashes which are no longer considered secure.
denartha is offline  
(2) thanks from:
03-11-2020, 01:32   #5
sheepsh4gger
Registered User
 
sheepsh4gger's Avatar
 
Join Date: Nov 2019
Posts: 622
Quote:
Originally Posted by p to the e View Post
Maybe this is more of a web development thing I'm trying to figure out the reasoning behind this. The only thing I can think of is it is something they inherited from Meteor and are reluctant to update. I haven't logged into my eir account in ages so I tried to reset my password and got a notice that "Password must have at least 1 letter, 1 number and length must be between 6 - 10 characters". See image attached

I think 6 characters is a bad idea, it could be brute-forced. i would make it at least 12 characters.
sheepsh4gger is offline  
Advertisement
03-11-2020, 01:34   #6
 
Join Date: Sep 2019
Posts: 1,773
Quote:
Originally Posted by denartha View Post
OK. Short answer is I don't know. Perhaps due to some legacy system or hardware they are using. I did a Pen Test for them a few years ago and were still using MD5 hashes which are no longer considered secure.
I’m sure you also signed an NDA before you were allowed to carry out this pen test.
Nikolai Tangy Housewife is offline  
26-11-2020, 20:17   #7
nullObjects
Registered User
 
nullObjects's Avatar
 
Join Date: Dec 2016
Posts: 824
Quote:
Originally Posted by p to the e View Post
Sorry. Is there a reason the number of characters is limited to between 6 and 10?
I'd guess it's possibly either a business reason that they don't want customers setting passwords they think are too complex and they will have to talk to support to reset them or else a constraint on the max number of characters that they either don't want to or are not able to easily update
nullObjects is offline  
Thanks from:
02-12-2020, 20:41   #8
denartha
Registered User
 
Join Date: Nov 2010
Posts: 7,778
Quote:
Originally Posted by Nikolai Tangy Housewife View Post
I’m sure you also signed an NDA before you were allowed to carry out this pen test.
Yes but it was over 5 years ago so no longer valid.
denartha is offline  
Post Reply

Quick Reply
Message:
Remove Text Formatting
Bold
Italic
Underline

Insert Image
Wrap [QUOTE] tags around selected text
  
Decrease Size
Increase Size
Please sign up or log in to join the discussion

Back to Forum | Previous Thread | Next Thread | Back to Top
Thread Tools Search this Thread
Search this Thread:

Advanced Search



Share Tweet