Home mail me! RSS Feed RSS Comments Feed

Online banking security

May 8, 2007 at 10:58 am · Filed under Geeky

I have an account with BMO Investorline from back when I dabbled in the stock market and got burned. I tried to log in to it the other day to change my address and discovered something disturbing.

When I first created the account, the password could be any length, so I chose a password which was 10 characters long. Apparently at some point since then BMO have changed their system so that passwords have to be six characters long. This is a disturbing trend that I’ve seen popping up in a few places, including where I work.

Fixed length passwords are a bad idea for one very simple reason. They are easier to guess. The number of possible combinations of six characters is much, much smaller than the number of possible combinations of random length passwords. Granted it’s still a fairly large number, but why not make it as large as possible?

So I called the bank to get my password reset. They asked me a bunch of security questions, which is good, although a determined cracker could probably find out the answers, but then they reset my password. They reset it to something very, very simple. Now I can only assume they use the same very simple password for all password resets, and I’m guessing they get more than a few password resets every day, so it’s probably a good password for those evil crackers to try.

I understand that banks are treading a fine line between making their online banking as user-friendly as possible while keeping it as secure as possible, but security has to come first. Always.

May 8, 2007 @ 2:39 pm

Procrasto said

I knew a determined cracker once.

It was a Jacobs.

That wee bugger just wouldn’t give up being flakey…

How I loved that cracker.

With a nice slice of mature cheddar…

He wished he had been more secure too.

Oh, that cracker.

*wanders off chuckling to self*

May 10, 2007 @ 12:56 am

keyofd said

Fix length passwords are not automatically worse than their longer cousins. A lot of it depends on the overall security scheme. Yes they are easier to brute force, if that is an option. But for example, my bank will lock my account if I get my password wrong more than 5 times in a row. Thus brute force guessing is removed from the equation.

Also, it is difficult to remember longer random passwords. 2jf9g! is a much stronger passwords than iloveyou or your phone number, despite the fact that your phone number is 10 digits long. If I was trying to hack your account it would be the first thing I would try.

Yes, ideally, you want your password to be longer AND hard to guess, but much of the time when people are forced to pick longer passwords they actually make the password easier to guess by using actual words or phone numbers, or some other kind of meaningful data. The very first thing a brute force attack will attempt is all the words in the dictionary, so ‘morphophonemic’ is a very poor password compared to ‘19dj^p’.

As far as them re-setting it to something simple, if they didn’t advise you to change it immediately, then that’s pretty poor security alright.

The bottom line with passwords schemes is this. The harder you make it to remember, the easier the end-user will try to make it to guess. Humans are lazy and don’t like to put huge amounts of effort into remembering things, forcing frequent password changes, or longer passwords rarely results in users actually choosing better passwords, it usually results in the exact opposite. At least that’s what I’ve seen.

May 10, 2007 @ 8:52 am

lambic said

Yes, longer random passwords are harder to remember than shorter random passwords, but the large majority of people don’t choose random passwords, they choose something they can remember. Given that, then longer (or at least non-fixed-length) passwords are better for two reasons:

1) It gives the user a chance to have something memorable yet still hard to guess.

2) It means that if my most memorable phrase is “I am the g33kiest” I don’t have to try to squish it down into “img3kt” and then remember how I squished it.

Having said all that, it’s about time we gave up on passwords altogether, but sadly the alternatives are considered too complex for the average online banker.

RSS feed for comments on this post · TrackBack URI

Leave a Comment