UPS supplier's password policy flip-flops from unlimited, to 32, then 64 characters
- Reference: 1727092866
- News link: https://www.theregister.co.uk/2024/09/23/cyberpower_password_changes/
- Source link:
CyberPower Systems, which sells uninterruptible power supplies (UPS) and surge protectors, confirmed to The Register that following pushback from customers, the character limit will remain but instead be doubled from 32 to 64.
The change was observed by customer Cabel Sasser, co-founder at Mac app dev Panic, and later shared online, where infosec pros scrutinized and questioned the reason for the finding.
[1]
Sasser said he recently discovered that he could no longer authenticate into CyberPower's PowerPanel Cloud iOS app using his account's usual 35-character password. The app monitors customers' UPS data, battery backups, and other related tasks. Confused, he asked for a reason from the company's technical support team.
[2]
[3]
"I emailed support and, well – I'll be haunted by that sentence for a while," he [4]wrote .
The team said: "Due to the recent security patch updates, the length limitation of the password has been set to 32 characters."
[5]
Asked who or what was behind one of the more ironic security updates in recent memory, CyberPower said it was a recommendation made by a third-party security auditor. The update is being tweaked, but it will take a few weeks before it's fully rolled out.
"We recently submitted the PowerPanel Cloud App for a security test to a third party as part of our ongoing security due diligence," the company said. "The third party recommended a limit on character length of the password, we previously did not have one.
"Based on customer feedback, we will be changing the password limit to 64 characters. This will take approximately two weeks to implement but has been made a priority by our software team."
[6]
What's less clear is why some passwords that were longer than 32 characters continued to work for some customers. It led some onlookers to ask whether passwords were simply being truncated, an idea CyberPower quickly put to bed.
It denied truncating passwords after the security update. The vendor also denied speculations by folks discussing Sasser's finding who wondered whether passwords were perhaps being stored in plain text.
CyberPower told The Register that the 32-character limit was "most likely" introduced on new passwords after the update, although this was still in the process of being confirmed internally last week and we have yet to receive an update.
Imposing a character limit on a password when there previously was none may seem like a counterintuitive move at first glance. However, more characters don't always translate to fewer problems.
There's no denying that a 128-character password is more secure and less easily brute-forcible than a 32-character equivalent. In terms of crackability, simply put, more characters equal better security.
The guidelines from the [7]National Institute of Standards and Technology (NIST) recommend 64 characters as an upper limit and, contrary to what many platforms require now, they don't encourage users to select special characters.
[8]Move over, Cobalt Strike. Splinter's the new post-exploit menace in town
[9]Apple's latest macOS release is breaking security software, network connections
[10]US indicts two over socially engineered $230M+ crypto heist
[11]Ivanti patches exploited admin command execution flaw
NIST didn't go into detail on why a 64-character limit is recommended. OWASP, however, which also champions at least 64 characters, said limits must be sufficiently large to allow for passphrases to be used.
OWASP also cites limitations with some password hashing algorithms in some freak scenarios where a user chooses a password with 1 million or more characters. This may cause some servers to experience denial of service due to resources spent on the hashing process.
The guidance from national cyber agencies on passwords is relatively unified. The UK's National Cyber Security Centre (NCSC) still recommends the [12]three-random-words strategy for creating passwords, but at the same time encourages organizations to rely on them as little as possible. Using [13]multi-factor authentication (MFA) and single sign-on (SSO) solutions are both strongly encouraged.
Crucially, though, it explicitly discourages imposing an artificial cap on password length and, like NIST, doesn't condone complexity requirements.
The US's [14]Cybersecurity and Infrastructure Security Agency (CISA) takes a similar stance. It recommends a minimum length of 16 characters and likewise does not believe in upper length limits.
"At least 16 characters – longer is stronger," reads its guidance page.
CISA also recommends using a different password for every account, and using either a mix of unrelated words and phrases or a random string of characters – lowercase and uppercase letters, numbers, and symbols are all welcome. And using [15]default credentials ? Don't get them started. ®
Get our [16]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZvGQpLA7mVza7KZjFwjEZQAAApU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvGQpLA7mVza7KZjFwjEZQAAApU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvGQpLA7mVza7KZjFwjEZQAAApU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://social.panic.com/@cabel/113149315844368461
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZvGQpLA7mVza7KZjFwjEZQAAApU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZvGQpLA7mVza7KZjFwjEZQAAApU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/06/03/nist_cve_backlog/
[8] https://www.theregister.com/2024/09/23/splinter_red_team_tool/
[9] https://www.theregister.com/2024/09/23/security_in_brief/
[10] https://www.theregister.com/2024/09/20/us_indicts_two_over_socially/
[11] https://www.theregister.com/2024/09/20/patch_up_ivanti_fixes_exploited/
[12] https://www.theregister.com/2021/04/09/ncsc_secure_passwords_three_words_advice/
[13] https://www.theregister.com/2024/09/16/snowflake_mfa_default/
[14] https://www.theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains/
[15] https://www.theregister.com/2023/10/06/cisa_top_10_misconfigurations/
[16] https://whitepapers.theregister.com/
There's nothing like...
... warning clients in good time to limit their passwords, before you roll the limit out.
...
And that was nothing like warning clients in good time...
>BOOM!< >BOOM!<
Virgin is 10
Our virgin is a 10 character password, which annoys the misses as the "standard" for things like this is 11. Try adding that 11th character when typing in the password and it it will no match. Not tried recently to see if their password reet can now take more than 10 characters or not
Schrodinger's password
You don't know how long the limit is until you try.
contrary to what many platforms require now, they don't encourage users to select special characters
The moment you have to have weird characters, people are going to write the password down so they know what's the at, what's the six, what's the exclamation mark, etc etc.
Re:"Titles Too Long" .......they don't encourage users to select special characters
Welcome to our new system & I did have a client ask me during the migration "What's the exclamation mark?".
Staff are already printing barcode labels (In some cases that's justified with having to sign into RF barcode guns).
Re: contrary to what many platforms require now....
Writing the password down is, in most cases, a good thing - better than just using "Password123!" everywhere
If N. Korean hackers can read the post-it note on my monitor - I have bigger problems than 32 or 64 char limits
I'd argue that a bit of paper stuffed in the back of my phone case is more secure than the Super-secure-corporate-approved authenticator app - that is one buffer overflow form being available to every other Android app in the Play Store, or my bank that quaintly thinks a text message is somehow secure.
Do they know of what they speak?
My guess is that the password is hashed in some form using SHA256, which produces a 32 byte output. My guess is that someone therefore thinks that inputting more than 32 characters results in a reduction of entropy, and should be avoided. This is wrong because the input characters don't have 8 bits of entropy each, 2 bits would be typical for english words, 3 or 4 if you make an effort with funny characters and random upper/lower case. Hashing a 48 character password will very likely increase the entropy, despite the apparent reduction in length.
I think 256 characters would be a sensible maximum.
Re: Do they know of what they speak?
>My guess is that someone therefore thinks that inputting more than 32 characters results in a reduction of entropy, and should be avoided. T
Unlikely given the high professional standards and deep knowledge of cryptographic fundamentals throughout the software industry - especially among web developers
The worst password thing I ever encountered was where the password field on the form where you register allows longer passwords than the login form. Now you can't log in because you run out of space. The other worst password thing I ever encountered is on one of our servers: the rules for allowable passwords are recorded in a set of encyclopedias. You have a better chance of winning the lottery three times in a row than generating an acceptable password. There's also a good 100% chance of locking your account while constructing a password. I've resorted to the unsafe practice of just replacing characters in the old password with similar ones (e.g. @!A-1934(*&gerqpwidaskl becomes #@B+2045)&hfs......)
I had a security question form want the name of my home town, then reject the answer because it was 5 letters, and the lower limit was 8.
I then tried "New York" and it rejected it because it had a space.
The facepalm icon is richly deserved here.
>I then tried "New York" and it rejected it because it had a space.
One of the least obvious reasons to reject New York
My “favourite” is the iterative error messages, with no information that covers all requirements. (Thankfully I haven’t seen it for a while.)
1st attempt: too short
2nd attempt: you need both lower- and uppercase letters
3rd attempt: you need a special character
4th attempt ‘/‘ is not permitted.
Etc etc
The icing on the cake is when you have to do a puzzle captcha puzzle for each iteration
Name and shame the 3rd party "experts".
"The third party recommended a limit on character length of the password, we previously did not have one."
So the big question is, who is that third party?
Re: Name and shame the 3rd party "experts".
And who invited people like that to the party ?
CyberPower
Aren't they the cheapest of the cheap crap? I know I avoid them, basically because I avoid anything with "cyber" in it.
Re: CyberPower
I appreciate a company named by a 13year old boy in the 80s
Back in the day we had proper computer company names "Super Massive International Electrical Data General Computers", not having everything named after a squishy fruit or some unpronounceable bunch of vowels
WTF - Password length limits?
The only limits I can see that make sense are limits to prevent a Denial of Service attack, like allowing up to 256 characters to mitigate a denial of service attack on bcrypt for example. How did anyone think that 32 characters is the correct answer? That couldn't even hold a passphrase like "The village idiot could think of a better password length limit."
Re: WTF - Password length limits?
I continue to wonder about this. Unless you're storing passwords in clear text, is there any reason for a limit on password length? (Aside from the one mentioned in the Fine Article : submitting a gigabyte-long password to deny service while the server hashes said password.)
The above is an honest question, by the way. I asked it in these fora quite a while back, got downvotes, but no actual answer. My assumption has always been that any site with a low password limit and limitations on special characters is storing the password as plain text. Which is a rather scary fraction of sites.
Also : has anyone but a third party ever messed up security?
What?
I can't use an easy-to-remember but hard-to-guess pass phrase like KeirStarmerIsTheBestPrimeMinisterTheUkHasEverHad?
Reminds me of the time I was at uni and we were given the password to a shared account (yes, really).
We were told the password was Aardvark.
Turns out it was Aardvark spelt incorrectly (as Aardvaak). Certainly kept us out (and in the pub).
Re: What?
>Turns out it was Aardvark spelt incorrectly (as Aardvaak). Certainly kept us out (and in the pub).
So in that case, Aardvark never hurt anyone ?
Ironically, if they stored bcrypt (https://en.wikipedia.org/wiki/Bcrypt) or something similar, they might get a password length limit -- but certainly not have any further limitations.