On Saturday I opened the Charles Schwab iPhone app to deposit a check. I create and manage my passwords with 1Password, the gold standard for password managers, but each time I tried to copy my twenty character password from 1Password and paste it into the Schwab app, it failed to paste anything into the text field. The strange thing was that I had no problem using my long password on Schwab.com.
I asked about it on Twitter and learned from the good folks at AgileBits, who make 1Password, that Schwab's web site was truncating my twenty character password, the first eight characters of which just happened to abide by Schwab's password rules. As it turns out, Schwab passwords cannot exceed eight alphanumeric characters and cannot contain symbols.
Schwab's reliance on eight character passwords is not unique in the financial services industry, though it is troubling in light of the GPU-based cracking tools that have been available for some time. To be fair, Schwab does offer two-factor authentication. Customers can order a free security token that generates a numeric security code that periodically expires. I would prefer an app like Authy or Google Authenticator to carrying another dingus around, but having two-factor authentication available is a nice option.
What concerned me as much as Schwab's short password limits is the subtle effect the password truncation had on my behavior. There is no feedback on Schwab.com telling users that their passwords are being cut down to eight characters. I am sure some programmer felt he or she was designing the site to fail gracefully, but without any feedback I had a false sense of security that my password was more robust than it actually was, which led me to change my password less often.
The moral of the story? Change your passwords regularly regardless of how long they are. Fortunately, with 1Password, doing so is not difficult at all.