What They've Done Wrong
PayPal do a lot to argue that their system is secure, however, their outward-facing practices don't necessarily live up to their own hype. If you can't make a security conscious user feel secure about their password policy, how do you think that one might feel about them having my EMV card details?
Let's look at the problems with their passwords.
Minimum LengthPayPal's minimum length is too low at 8 chars. This gives the minimal password an entropy of approximately 38-bits. Most folks can brute-force that on their phone these days. Even DES thought that 56-bits was good enough in '77. Times have changed (no, they haven't gone backwards!)
Maximum LengthThey enforce a maximum length which is too low (it exists!?): 20 chars. This gives the absolute maximum entropy of a password of around 132 bits. I like to make my passwords around 256 bits. It's 2013, let me make a passphrase that's more than 20 characters, it's not that big of a performance hit!
No Copy Paste
In my opinion, this is a huge sin. As a person who uses a password manager, I use an application to generate a very long (~257 bits of entropy), very random password. I then copy and paste this password (having never seen it) into the password field.
This allows me to easily avoid re-using passwords across multiple sites, and ensures that I always pick a strong password.
Allowing Bad Passwords
PayPal does not (client-side!) check if the password you have types is a bad password. In fact, it allows 'password' and '12345678' as passwords. Yes it labels these as "weak", but it doesn't prevent you using them.
Dense Strength Checker
The strength checker offers a false sense of security. I can make it claim an 8 character password is strong. It simply is not! Even the best 8 character password is at most 53-bits of entropy.
What They Should be Doing
- Minimum length: 12 chars
- No Maximum Length
- Allow Copy/Paste for users who use password managers (such as myself)
- DropBox keeps a list of really bad passwords, and warns against them by checking client-side.
How To Deal With This
you only (unfortunately) have two options:
- Complain to PayPal. I already have done, and I'll post the follow up.
- Leave PayPal.
If PayPal don't correct these simple issues, I will most likely be leaving PayPal, as I do not trust them with my details if they can't manage passwords correctly.