Thank you for your feedback, and as it appears you already know it is industry standard to store a hash value of the password. I assure you that your password is not in fact stored as is in our database, it is stored by some type of hash value. I am not entirely sure by which standard our software vendor encrypts this data, but it is protected. If you lose your password our standard procedure is to have you reset it, because we are unable to retrieve your old password information from our database. If you have any further questions or concerns please do not hesitate to contact us.Grammatical errors aside, there is an assertion that a hash is used in password authentication. If that's the case, then why enforce an upper character limit on the passwords? The nice thing about a cryptographic hash is that -- by design -- will reduce an arbitrary-length input to a fixed-size, obfuscated token that can be stored for purposes of authentication.
Let's just say that if the third-party vendor that performed this implementation knows this and enforced such a limit anyway, I hope that a fourth party was responsible for implementing the encryption practices for the actual medical records! :P
Given the invitation to reply, here's what I fired back:
Thank you for your prompt reply.Hopefully the message can go up the chain and fall on the right person's desk.
In light of your assertion that a password-derived hash is what is used for purposes of authentication, I have a website enhancement request that I would appreciate you forwarding to the appropriate technical or vendor representative.
In particular, please remove the upper limit on password length that is presently enforced at 15 characters. (The minimum password length requirement remains a good idea.) This should not pose any technical burden, as a cryptographic hash function, by design, can take an arbitrarily-long input and produce a fixed-size, obfuscated output that is suitable for storage in the authentication database.
Such an improvement would significantly enhance the overall strength of the website's password system, and bring it in-line with practices used at financial institutions.
Thank you once again for your responses. I appreciate your assistance in forwarding this suggestion to the appropriate representatives, and would appreciate a response should action be taken to address it.
No comments:
Post a Comment