I recently went to change my password at AliPay, and found out that there are a few restrictions on the password:
- It can only be digits
- It must be six digits
- It can not consist of consecutive digits (123456, 234567, etc.)
- It can not consist of a repeated single digit (111111, 222222, etc.)
This all seems idiotic to me. First off, six characters is not a lot. Six digits contain even less entropy. And to top it off, they remove some more possible combinations.
To be fair, I guess things like 123456 or 111111 would be at the top of any hackers "dictionary" if they were to brute force it. However, there are still only less than a billion possible combinations to try, which in this day and age is not a lot (right?).
Can there ever be any valid reason whatsoever to restrict a password like this? I use a password manager and usually default to 20 characters of random digits, letters and symbols. For a payment service in 2016 I'd expect long passwords containing random symbols to be allowed (or even demanded by the system).
So am I missing something here, or are the people who come up with these limitations just not that security minded?
Your Alipay account consists of two passwords 1) Alipay.com login password 2) Alipay "Payment" Password
. I assume those password you mentioned are 2. – mootmoot Jul 29 '16 at 12:13