Third of US banks OK with passwords even social networks reject Six of 17 major US banks have weaker password enforcement procedures than most social networking websites, according to a new study by an American university. The banks ask users to set up passwords that include letters and special symbols, but a study by researchers at the University of New Haven shows that in around a third …
Simple.
You have insurance for your money.
There is no insurance for your reputation.
People will not care so much for the safety of their bank account since they can have a discussion with their banker face-to-face, prove their ownership and innocence, and get things set straight.
Try doing that with a Facebook representative when your account has been hijacked (don't know if that has ever happened).
"I've heard from friends who use FB that hijacking is common and FB doesn't really persue things. So... meh on them."
Facebook 'hijacking' is trivially easy. For reasons best known to FB, <identity redacted> known to be because of <identifying feature redacted> once had some twit drop FB message traffic onto his/her/its gmail account. This was despite <redacted> not having a FB account, but having a Gmail account one digit off of the FB twit's account. Appeals to the FB twit to stop having his allegedly private messages appear on <redacted> Gmail went unanswered. Appeals to FB admin to do something about their user when unanswered. What resolved the matter was when <redacted> used the fact that the FB account was effectively identical to <redacted> account, and to go onto FB and try to delete the account. After the second time this was done the FB twit got the message and the messages stopped showing up in Gmail. It was trivial to get complete control of the FB account. Security? They've heard of it.
I remember when that acquisition took place between CapitalOne and IngDirect, the first thing CapitalOne did was remove security features that IngDirect had in favor of ONLY needing a password to log in. So, I know CapitalOne doesn't really care about security.
That's not exactly true. I get that you skipped right over the bit that's false because the researchers on this article did too. In order to get access the password PLUS the account number. On social media, people already KNOW your account name, so the password becomes a single point of failure.
Also, I'm not 100% sure it's ONLY the password. They may also have a challenge question if you've logged in from a machine that doesn't have a cookie identifying you. I normally only access my accounts from home, so I'm normally willing to tell it to use a cookie to remember me. Since I normally access that account on a regular basis the cookie never expires. I have an account at another bank that I don't access as frequently and I sometimes have to answer the security questions. Which is a real bitch because I only remember the stored answer to one of them.
My account username on Facebook is an email address that bears no relationship to my name at all and is used only for my FB account. So the logic doesn't really follow. Hell someone could swipe my wallet and use my account number straight from my Debit card but they'd have a hard time guessing the email address.
That said, my bank has mandatory 2FA.
But I have a CapitalOne CC and a CapitalOne 360 account, I also have FireFox clear my entire history (with cookies, all offline content and caches) after quitting. Neither websites asks for anything more than a username and password. I was asked to setup challenge / response questions a couple months ago, but I see them on the mobile app and not the main websites. Thats why I never check my CapitalOne info from any other place other than my home machine that I know I can wipe the cache and temp files.
My credit union (PSCU) recently extended the password length, which was limited to 8 characters. They extended it to 15.
Aside from security considerations, they're a great credit union. Hmm. That's hardly a glowing endorsement of one's financial institution, is it?
In 2000 I signed up for Wells Fargo online, after they bought my old bank. They had me create my password via phone (oh, 2000, such a simpler time). That meant my password: "password" was entered as 72779673. So any letter/number combination that translated to 72779673 would have been able to log in as me.
As some point I eventually changed my password via the online mechanism, which I assumed was a little strong, but apparently, not much so.
I have a number of complex passwords that I use for various things, but none of mine met the requirements of one company. This forced me to think of something new and utterly unmemorable. So of course I would need to write it down. To make the point I printed my password out on A3 sheets and stuck it to the office wall, knowing that the company's FAE visited us weekly and would see it, and hopefully take the hint that their requirements were actually lowering their security.
Same as elsewhere, the larger the bank the more likely they are to be rolling their own. I know my credit union farms theirs out. They're too small to do it on their own and at one point the people at the bank couldn't reset your password if you got locked out or forgot it.
Also, there's no way FarceBook or Twatter are using COTS for their websites. It simply wouldn't handle the volume.
Banks want their paying customers (even the old geezers) to be able to conveniently use their website, even if their security isn't very secure.
Social media sites don't give a shit. If you want to be cool and trendy and be seen by your "friends", you'll do it the way they want you to and you'll like it.
yes, I'm cynical.
Or is it better just to add another character to your password?
It might be interesting to test this. Have a site that forces 1/3rd of the users to jump through the special-case-sensitive-character hoop, 1/3rd of the users to enter what they want, and force 1/3rd of the users to enter 1 or 2 more characters than whatever the middle third are required to enter. Then look at the passwords chosen by each group. Which are more crackable? By a machine.
On a US keyboard letters and numbers only allow 62 possible characters per position. If all the special characters are allowed you get 92 possible characters. The question becomes when does 92^n > 62^n+1 and is n a relatively small number; haven't done the math.
Up vote for doing the maths.
Still there is a problem in that the maths are only a minor input into the real problem. We all know the most standard rule for passwords these days: x character or more long, at least one each of upper, lower, number, special character. The problem is people. They want something they can remember, which usually reduces it to dictionary words with numbers and specials tossed in or morphed into l33t spe@k. So you're now at significantly less than 92^n instances you need to check. Then we get to the really interesting thing they found in a recent study. Given that rule, most people select EXACTLY one upper, lower, and special. And that drastically reduces the size of dictionary hackers use for their attacks.
As the guy creating most of our email accounts I've gotten use to creating complex passwords from simple phrases (eg: B1t!nGtH3H@nDtHaTfE3d$; our email system doesn't allow dictionary words of 4 or more characters). And I have to say the most annoying websites are the ones that cut down your list of special characters and limit your word length. For the life of me I can't set one for our conferencing system and I can't memorize the ones they generate for you.
"Or is it better just to add another character to your password?"
Or more importantly - is it better just to add an arbitrary number of characters to your password? The biggest problem with rules for passwords is restricting the length, often to as few as 8 characters (and PINs, which are just passwords by another name, are usually just 4). There are arguments about how strong XKCD's "correct horse battery stable" scheme is, but the arguments against it all rest on the length being short - if you know a password is made of 4 words, you can target an attack based on that knowledge. But what if a password might be 20 words long or more, and you have no idea what that length actually is? A brute force dictionary-based attack on such a password is much, much harder than a character-based attack on a password with 20 characters no matter how many special characters you allow, since there are far more than just 96 words in any language.
And as is always pointed out, people are really good at remembering words. That's the whole problem - people choose passwords they can actually remember. We routinely remember the lyrics to hundreds of songs, can quote from hundreds of films and books, memorise long poems, plays and speeches, and so on. Using just a few random words might not make a more secure password, but why limit it to that? Allow arbitrary length passwords, enforce a minimum length (20 characters or so), enforce only lower case letters (so there are no problems remembering capitalisation and punctuation), and everything would be far more secure and far easier to remember.
*-- Some banks still use national ID numbers as usernames! Others use case insensitive challenge questions that can be pwned via Facebook. Knowing this...
*-- How many banks offer 'Outside Transfers' that permit external accounts to be set-up in 2-mins using the same session? Some require 2FA, but that can be pwned thanks to 'IoT class' phone security!
*-- External transfers aren't needed by everyone, so shouldn't this require a burdensome paper-trail process, or in-branch face-to-face time to set up....?
* -- When travelling how about read-only account access? Or visibility restricted to one account for credit card monitoring etc. To pay utilities, how about a cap that limits a/c number changes and caps outgoing payments to 50-100 USD a month....
*-- Then if accounts are hacked / hijacked, it will mostly be read-only, mostly leak basic info only, and have a damage limiter...
*-- But this is not what the banks want! They want 'feature rich' online-banking, so that they can sh1tcan more branches, downsize more offices!
So smug you miss the point! Step away from the keyboard for a moment!
Who said anything about the cap being set in source code? After all, this isn't the year 2000!
Its not locked in source, its just locked to hackers! The cap has to be set in-branch (in-person) or using a system that can't simply be pwned by exploiting weak points in A. the online banking session, B. weak support staff, C. weak telephone password reset systems. (The kind of thing that was used by hackers to hijack the email accounts of NSA / CIA security staff in USA in 2015 etc...)
I used to work for a bank where 20 years ago we rolled out two factor login for our high net worth clients.The clients hated it. Our client reps hated us for it. In about a year we had disabled it for the 90% plus clients who didn't want the extra hassle. And we, or most importantly our clients suffered very few losses as a result..... in fact there were none for at least the next decade. Simpler times, and hopefully it's back now.
Two factor auth is a hassle but it works. In comparison password complexity really doesn't mater hugely in the scheme of things. It doesn't help if the attack is a keyboard logger, or if the password is reused by the client on other sites that store it unhashed. Even if it is hashed experience shows password complexity is normally interpreted as having the first letter capitalised and the digit "one" appended so is pretty easy to brute force. What it does best is make the client forget their password, and have it reset by giving their favourite colour or first pets name and getting a reset link mailed to them via insecure email.
Or put another way, whose helping us lose...
Politicians and regulators are too dumb / too slow to enact change. Corporations and banks are too greedy or obsessed with the bottom line. The media is too drunk on IoT...... Its a field day for cyber-crims right now!
Last month HSBC announced biometric... The problem with that is its been given all the forethought of IoT security!!... Passwords can be reset, but biometric info can't be put back in the bottle. So why doesn’t the mass media warn of the consumer risks and mention the dangers of biometric data being leaked into the wild.... Nope, all the media had to say that day was how everyone hates passwords...
But this is irrelevant. Passwords are a necessary evil right now, everyone knows this! Besides, even when users are careful, which we know they never are, the JP-Morgan hack from a couple of years ago, proves that any database can get hit, no matter how many layers of protection it hides behind.
So what happens when all that juicy biometric info leaks online, which it will... What will the media have to say on that day...???
For me the worst offender in this weak-security / hacking / data leaking / IoT crisis, has been the media itself! Apart from the Reg and a handful of others, the media is selling is out as suckers!
Requiring at least one digit does not weaken a password. It does strengthen it as long as you can put the digit anywhere.
If you have an 8 character password and can only use lowercase letters there are 209 billion possibilities ( 26^8, or 26*26*26*26*26*26*26*26 )
Using upper or lowercase increases that to 53 trillion possibilities (52^8)
Adding 10 possible digits brings it to 218 trillion possibilities. (62^8)
The possibilities increase exponentially as long as the digit can be anywhere and you can add as many as you want.
My Canadian bank still has passwords that are not case sensitive and does not allow "special" characters.
When I last complained, three years ago, they argued, with a straight face, that allowing these would confuse customers.
And yes, the challenge question when you phone them is still my mother's "maiden" name.
Maybe you Canucks are a bit more lax than the US with birth certificates, but mother's maiden name is actually still fairly difficult to find. Even knowing where my mother was married I can't find the newspaper announcement on the internet. Too much flack in the way. Oddly enough, I've never thought of it as similar to "Smith" in terms of providing anonymity but apparently some of our cousins across the pond do a very, very good job of protecting me.
Was the last 4 digits of my SSN for more than a decade(the default password they assigned at the time mid 90s).
It is one of the banks listed.
AFAIK none of my accounts ever been compromised on any site. I have unique passwords and email addresses for each site(and i run my own email server). All stored in ultra secure QUADRUPLE ROT13 encoded text files. Web browser runs as a more limited user account on my linux mint systems.
Passwords work
just ask the FBI : why can't they crack that iPhone ? can't even get past a 6 digit passcode?
not if it's administered properly
biometrics are just a scheme to eliminate anonymity -- and -- they suffer from the disastrous problem: once compromised you can't change them .
Its simple !! The banks just DON'T CARE!!
As long as they have transferred the responsibility to the customer and they can argue "they are not liable" why should they care, your the one swallowing the cost of a fraud, not them.
Every time your Bank phones you and you challenge their identity they fail authentication, the most basic security check. But they expect nay demand you provide answers to their "security question" to an unauthenticated calling source. TOTAL FAIL.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
