Electronic Arts Hates Strong Passwords

Jun 26, 2011

On the midnight of June 25 LulzSec released yet another truckload of user/password combinations, including from the Electronic Arts game Battlefield Heroes. I used to play Battlefield Heroes as I am a huge Battlefield fan since the dawn of the series. Interested to see whether I am present in the hacked database, I immediately downloaded the CSV file and searched for my account name. Sure enough, there I was along with a familiar looking hash. I quickly threw the hash into a MD5 hash-to-source dictionary service. Boom! Unsalted MD5 and my password was staring me into my face. It was an old password of mine, one of the first I had chosen after upgrading from short all lower case passwords. This meant that I didn't need to panic, as I have different passwords in most places. Still, it was my password for Battlefield Heroes and more crucially it was also the username/password combination for my EA account, which controlled a bunch of other games like Battlefield: Bad Company 2. I quickly set myself a goal to change the EA account password so I launched Origin. Origin is EA's quarter-assed wannabe clone of Steam. I carefully looked around, into every corner and sub-dialog I could find. There was no password changing option. Amazed at how bad Origin is I went straight to EA.com as surely there must be a way to change my password there. Nope, even less account configuration than Origin provided. I then proceeded to log out from EA.com and claim I had lost my password. This worked fairly well until I tried to actually set a new password.

The new password is too long. Your new password contains invalid characters.

What the fuck? Flabbergasted, I decided to log back in with my old password and dig around the help section to find some documentation on what sort of passwords they allow, as the error is very opaque. While looking around in the help section I stumbled upon a My Account link. Yes, I had finally found the web based account management section, nicely hidden away from users. I tried to change the password again, this time from the account management page.

16 characters maximum for new password.

At least this error tells me the exact length limit, but 16 characters? A maximum of sixteen characters? This must be a joke.
OK, I tried with a shorter password then.

Your new password contains invalid characters.

Invalid characters? It was getting ridiculous. I decided to do some research with some of the symbols that I could easily access on my keyboard. Here are the results:

Allowed: ! # % & ( ) = ` ' + ; : - _ < > [ ] { } $ @ *
Not allowed: " ¤ / ? ´ ˇ ~ , . | \ £ € § ü õ ö ä ž š

What about the minimum limits?
I tried changing my password to asd. No luck, 4 characters minimum! What about cool? Success!

In summary, EA doesn't want people using strong passwords like y756V3~J|d242~s89k75;37x-544df. It also doesn't want people using cute but decent passwords like ´[~.~]`. It is completely acceptable however to use passwords like cool, pass, love. Also the passwords will be stored using unsalted MD5 in easily hackable servers. Amazing.

Comments (15)

candidcamera Jun 26, 2011 21:52:42 UTC

please post where we can find the file with hashes to see if our passwords were compromised as well - the EA site is now down from this - I can't remember what pwd I used - I was only in beta and my username is in there.

Foobar Jun 26, 2011 21:59:50 UTC

@candidcamera: You can visit https://shouldichangemypassword.com to see if your any of your accounts have been comprised.

Kaur Kuut Jun 26, 2011 22:03:12 UTC

@candidcamera The Battlefield Heroes database can be downloaded from https://rapidshare.com/files/1491257191/Battlefield_Heroes_Beta__550k_users_.rar

doah78 Jun 26, 2011 22:05:36 UTC

Apple's itunes does a similar thing. Doesn't let you use a lot of special characters like ~.

mate Jun 26, 2011 22:10:19 UTC

Kaur Kuut hates your eyes and wants them bleed.

xah lee Jun 26, 2011 22:20:34 UTC

a luxury of 16 chars? i remember running into sites that allows max of 8 or so. Though, i think it was late 2000s.
I think some phone account to this day lets you have just 4 chars. Totally ridiculous.

allowing special char is a different matter though. cuz once u allow it, there comes chinese, combining chars, arbitrary unicode symbols, and various encoding issues. Sure to be a headache to the implementor as well as customer service.

Court Jun 26, 2011 22:31:27 UTC

@xah lee: Up until a few months ago, the American Express credit card login had an 8 character password limit. It still happens.

Andy Jun 27, 2011 00:11:43 UTC

I can think of one large online retailer (ebuyer.com) that has eight characters and no special chars. The credit card company Egg also have an appalling pw policy. Those who refuse to learn from history... etc,etc

Andy

Shane Jun 27, 2011 00:31:49 UTC

There are still companies that think it's okay to store *plain passwords* - and when requesting a forgotten password, they simply send it back to you.

I won't mention the company's name as I'm currently still a customer (and planning to change that ASAP), but they are a very popular worldwide business - with millions of customers.

Joshka Jun 27, 2011 00:34:56 UTC

http://en.m.wikipedia.org/wiki/Password_strength
Your assertion that 16 characters by 85 possible options is insecure is mistaken, unless you're trading with foreign governments in state secrets in game ;p

Rauf Jun 27, 2011 06:02:52 UTC

@Joshka 16 characters my be strong enough but dictionary words like cool are surely insecure...

levu Jun 27, 2011 16:16:54 UTC

ICQ has got a 8 character limit (I know, noone wants to use icq, but for work i have to ;) )

Rian Q. Jun 30, 2011 05:35:40 UTC

Okay look, I know you're a guy who likes to have an incredibly secure password and that's your right. However, 16 characters is more than enough, and being able to use the entire alphabet (plus caps), 10 numbers, and 23 symbols you yourself could type makes for an incredibly secure password.

With that, a 16 digit password would have a one in 7 nonillion chance of being cracked, which is 30 zeroes.

Skyp0r Jun 30, 2011 21:27:39 UTC

Skype.com has 20 chars limit: http://i.imgur.com/Enp4V.jpg

Skyp0r Jun 30, 2011 21:30:59 UTC

@Rian Q.: A char-limit is (in many cases) an indicator that the password is stored in plaintext in database.