The (presumably) secure Verified by Visa payment authentication system developped by Visa forces users to select weak passwords:
- They force the user to select passwords shorter than or equal to 8 characters, but no less than 6 characters, and
- they prevent the use of any special characters (!@#$...). Only alphanumeric allowed.
This password space is so small that if it was used on a Windows machine it would take less than 2.5 hours to bruteforce with oclHashcat on a 4 x HD 5970 machine. (Windows uses NTLM to hash passwords, which oclHashcat bruteforces at 6.194 billion per second on a single 5970: (62**8 + 62**7 + 62**6) / (4*6194e6) / 3600 = 2.49 hours).
Visa's password hashes (assuming they hash them, and with something more secure than NTLM!) are not available to attackers, but they have zero reason to enforce such a small password space:
- Technically this violates section 8.5.10 of the PCI DSS (Payment Card Industry Data Security Standard)!: "minimum password length of at least seven character",
- the hashes could get stolen like it happened to Hotmail, MySpace, Facebook, Gawker, Hotmail, etc, and could be bruteforced easily, and
- it certainly unteaches strong password selection methodologies that we, IT Security Professionals, have been painfully trying to explain to users since passwords were invented.
Why does one of the world's first financial services company get security wrong? The most ironic is that a few months ago, they made the exact opposite mistake: Visa was enforcing password requirements that were overly complex. The right solution is obviously the middle ground: require passwords of at least 7 characters in length to comply with PCI DSS, and allow users to chose very complex passwords if they want to. If I want to type a fully random 128-character password, you should let me do so.