Samsung password policy is insecure (restriction on characters)

When creating and logging into a Samsung (or SmartThings) account, the passphrase has a restriction on what characters can be used. Notably, it does not allow any spaces. To me this is a red flag, since it should not matter the length nor the character set used in a passphrase: the hash function should work regardless.

Why does Samsung, which is neither a small nor young company, have such a major oversight?

Another peculiar thing I noticed is that the username and password cannot be saved in the web browser’s password manager.

They also don’t have 2FA.

It’s safe to say the Samsung leads and developers don’t hold user requests as high priority? I’ve been perusing these forums and have noted some glaring issues that have still not been resolved in four years.

It’s safe to say that we “few thousand” users do not represent the 1 to 2 million SmartThings Customers out there that don’t use this Community Forum.

To make a feature request, bug report, complaint:

1. Contact Support
2. Post a polite review in the Play Store, App Store, Amazon
3. Post a polite inquiry on the Facebook page.

Many ST Staff read this page. But the decision makers have indicated they don’t use this forum with specific rare exceptions (e.g., perhaps to check on beta test results, or the immediate impact of a firmware or app update for bugs).

Bit of a shame, but no use fighting reality.

Even if it is only one user, the issue of password policies and the lack of two-factor authentication transcend beyond simple user requests and minor bugs.

Smart homes and automation also involves security systems, cameras, and door locks. Tightening security measures and authentication for user accounts is not just “nice to have”: it’s essential from day one.

I don’t view these issues as minor bugs or small oversights.

Four years ago, and still no 2FA: Two Factor Authentication for ALL STs environments?

I did, when I first installed my SmartThings hub, which required me to create a Samsung account. The rep on the phone told me he would definitely “pass it along”. I am now posting on here, much later, to get others’ opinion on this matter and to try and understand “why” since it baffles me that such a large company neglects basic security measures for such critical things that deal with home owner’s door locks, cameras, and alarm systems.

Because the vast overwhelming majority of SmartThings / Samsung customers do not care.

And, frankly, I think they are right.

We are a long, long, long way away from bad actors having any interest in attacking smart homes when there are much easier and broader targets to exploit: every social media, email, and banking accounts.

I, personally, think you are inflating the risk.

The login page was reworked a little while ago and has certainly been a bit quirky since. My details were already saved in my password manager so I wouldn’t know about being unable to save them, but now in order to retrieve them I find I have to click once in either the username and password field, with no obvious effect, and then once again in the password field, at which point both fields are filled in. There is no auto-completion of the username if I start typing it. That’s not how I’m used to things working elsewhere.

but it allows \ for instance and other special chars that you could use instead.

I find that pretty safe. If your concern is about security, that should be noted as a goodness.

That isn’t the point, though. That they arbitrarily restrict any type of character is a red flag. The only explaination I could find online is due to developer laziness or management apathy. This is a big no-no for any web site, and there’s no real reason for it.

“It’s not a bug, it’s a feature!”

Why is removing the option of using a password manager a good thing? If you don’t want to store logins and passwords on your own physical computer, that’s perfectly fine. Yet why remove such an option from those who do? If we’re using this logic, then it stands to reason that all other web sites and services would be doing us a favor if they removed our ability to store logins and passwords in our browser’s manager?

What is your basis for this assertion? It is not uncommon for systems (including banks and other financial institutions) to limit certain characters for a variety of reasons, including technical limitations.

I admit, I am an old fashion guy. I will never trust a company to be able to store in any manner all the access to everything since there is no way they cannot be hacked one day. Everyone gets hacked and these companies are certainly a focus for hackers.

That’s something we agree on.

I am extremely frustrated that Samsung eliminated separate “SmartThings Logins” in order to convert to their federated single-sign-on “Samsung Login” that is used for Samsung browser profiles, phone and tablet backups, Developer IDE access, and who knows what other services in the future.

I hate that if I accidentally compromise my credentials to one of these services then I am instantly vulnerable on ALL of them.

Unfortunately, this model is typical of all single sign on mega services, including Google and Microsoft… and many more.

It’s especially difficult for me as a Samsung/SmartThings developer, because I certainly don’t want a compromise of my personal Account to compromise my Company or Customers!

They however provide a convenient login access email notification when the account is logged in. I would still like a 2-step authentication to be provided.