UPS supplier’s password policy flip-flops from unlimited, to 32, then 64 characters

A major IT hardware manufacturer is correcting a recent security update after customers complained of a password character limit being introduced when there previously wasn’t one.

CyberPower Systems, which sells uninterruptible power supplies (UPS) and surge protectors, confirmed to The Register that following pushback from customers, the character limit will remain but instead be doubled from 32 to 64.

The change was observed by customer Cabel Sasser, co-founder at Mac app dev Panic, and later shared online, where infosec pros scrutinized and questioned the reason for the finding.

Sasser said he recently discovered that he could no longer authenticate into CyberPower’s PowerPanel Cloud iOS app using his account’s usual 35-character password. The app monitors customers’ UPS data, battery backups, and other related tasks. Confused, he asked for a reason from the company’s technical support team.

“I emailed support and, well – I’ll be haunted by that sentence for a while,” he wrote.

The team said: “Due to the recent security patch updates, the length limitation of the password has been set to 32 characters.”

Asked who or what was behind one of the more ironic security updates in recent memory, CyberPower said it was a recommendation made by a third-party security auditor. The update is being tweaked, but it will take a few weeks before it’s fully rolled out.

“We recently submitted the PowerPanel Cloud App for a security test to a third party as part of our ongoing security due diligence,” the company said. “The third party recommended a limit on character length of the password, we previously did not have one.

“Based on customer feedback, we will be changing the password limit to 64 characters. This will take approximately two weeks to implement but has been made a priority by our software team.”

What’s less clear is why some passwords that were longer than 32 characters continued to work for some customers. It led some onlookers to ask whether passwords were simply being truncated, an idea CyberPower quickly put to bed.

It denied truncating passwords after the security update. The vendor also denied speculations by folks discussing Sasser’s finding who wondered whether passwords were perhaps being stored in plain text.

CyberPower told The Register that the 32-character limit was “most likely” introduced on new passwords after the update, although this was still in the process of being confirmed internally last week and we have yet to receive an update.

Imposing a character limit on a password when there previously was none may seem like a counterintuitive move at first glance. However, more characters don’t always translate to fewer problems.

There’s no denying that a 128-character password is more secure and less easily brute-forcible than a 32-character equivalent. In terms of crackability, simply put, more characters equal better security.

The guidelines from the National Institute of Standards and Technology (NIST) recommend 64 characters as an upper limit and, contrary to what many platforms require now, they don’t encourage users to select special characters.

NIST didn’t go into detail on why a 64-character limit is recommended. OWASP, however, which also champions at least 64 characters, said limits must be sufficiently large to allow for passphrases to be used.

OWASP also cites limitations with some password hashing algorithms in some freak scenarios where a user chooses a password with 1 million or more characters. This may cause some servers to experience denial of service due to resources spent on the hashing process.

The guidance from national cyber agencies on passwords is relatively unified. The UK’s National Cyber Security Centre (NCSC) still recommends the three-random-words strategy for creating passwords, but at the same time encourages organizations to rely on them as little as possible. Using multi-factor authentication (MFA) and single sign-on (SSO) solutions are both strongly encouraged.

Crucially, though, it explicitly discourages imposing an artificial cap on password length and, like NIST, doesn’t condone complexity requirements.

The US’s Cybersecurity and Infrastructure Security Agency (CISA) takes a similar stance. It recommends a minimum length of 16 characters and likewise does not believe in upper length limits.

“At least 16 characters – longer is stronger,” reads its guidance page.

CISA also recommends using a different password for every account, and using either a mix of unrelated words and phrases or a random string of characters – lowercase and uppercase letters, numbers, and symbols are all welcome. And using default credentials? Don’t get them started. ®

READ MORE HERE