Maximum Password Length Is Too Low and Concerning

cybersecurity
information-security

#1

The website appears to have a very small maximum password length.

This typically indicates that the password is stored somewhere, either in encrypted form or in plain text. Neither of these options represent best practices.

The best practices for the past few years has been to store a salted password hash, rather than the password itself. This allows passwords of arbitrary length (though commonly restricted to a sane length - usually in the order of 100 characters). Commonly these passwords are actually passphrases.

There is also authentication schemes like OpenID that may be a better alternative that rolling our own.


#2

Hello,

Thank you for your inquiry and suggestions.

FIX has recently implemented a commercial Single Sign-on service for access to the web site and related applications. Passwords are indeed salted and hashed.

As part of our review of the General Data Protection Requirements (GDPR) which must be implemented this Spring, we will be considering the minimum password length and anticipate there may be related changes to our password policy.

Regards,
FIX Program Office