Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Let your uSeRS chOOse wACKy passWords, US banks!

07 Mar 2016 9 Privacy, Security threats

Post navigation

Previous: “Hack the Pentagon” bug bounty program announced
Next: 7 tips for securing the Internet of Things
by Bill Camarda

With many US banks, what you see in your password field may not be what you get.

That’s according to recent research by student researchers at the University of New Haven’s Cyber Forensic Research and Education Group (UNHcFREG).

The study’s developers created a fairly simple test: Are the financial institutions’ passwords case-sensitive? Eleven US banks passed their test. Six failed.

In other words, MyPass2015, mypass2015 and myPAss2015 are all treated as if you’d typed MYPASS2015.

With 10-character passwords, the total number of different possible passwords, known as the password space, shrinks. If you choose 10 characters from A-Z, a-Z and 0-9, you have 62x62x62…x62 (6210) possibilities. But with A-Z and 0-9, it’s 3610, about 250 times fewer.

That may not sound terribly significant, but it does mean that the password you type isn’t actually the password that’s used, and isn’t quite as strong, which gives rather a false sense of security.

24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.
Learn More

The study’s authors found it tricky to query this matter with some of the banks:

…we attempted to contact the banks to inform them about this issue and tried to ask for a statement why they decided to pursue a weak password policy. It turned out that it is almost impossible to contact and notify them about a security issue – we couldn’t find any email address or phone number to report this security issue.

Working through regular bank hotlines, UNHcFREG found one institution unsure of how its own passwords actually worked:

One organization was adamant that they have a case-sensitive password policy, but our testing showed otherwise.

We can’t see the need for pre-conditioning passwords in this way, and we advise you not to do it, especially if you allow your users to enter a mixed-case password without any warning that it’s not actually the password they’ll be using in practice.

We suggest if users are willing to put some additional complexity into the their paswords, welcome it!

(Oh, and please offer your users two-factor authentication as well if they’re going to be sharing important personal information with you.)

LEARN MORE ABOUT 2FA

(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)

Image of Password courtesy of Shutterstock.com

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: “Hack the Pentagon” bug bounty program announced
Next: 7 tips for securing the Internet of Things

9 comments on “Let your uSeRS chOOse wACKy passWords, US banks!”

  1. jandoggen says:
    March 7, 2016 at 1:42 pm

    I’m wondering if another variation still occurs: taking only the first N characters of your input. You type in a 20 char password and then they only compare with the first 8,10 or 12 characters. Too bad they did not test that at the same time. Ande it’s good that they mention the actual banks – the time is long past where we should still have tolerance for these issues.

    Reply
  2. Fred says:
    March 7, 2016 at 1:57 pm

    I’ve been trying for years to get my bank to accept more complex passwords (more characters, special characters) but my pleads fall on deaf ears. Two factor authentication??? They can’t even relate to it. It is time for me to change banks.

    Reply
  3. Billy Reuben says:
    March 7, 2016 at 2:24 pm

    For FIs that outsource their online banking, this is becoming a huge vendor management issue. The inability to create complexity requirements increases transaction and reputation risk.

    Reply
  4. Dave says:
    March 7, 2016 at 4:18 pm

    Not precisely on topic but sometime back I noticed that if I typed in any character – ANY character – in the Username field of two banks at which I had accounts, a list of alphanumeric strings would be presented. If I typed in the 1st character of my username, my username was in the field along with other strings that were, presumably, other valid Usernames. Until that date, it had not been that way, i.e., no list of any kind presented, as it seems it should be, and I attributed the glitch to recent website maintenance.

    I notified both banks of this “change, pointing out that a would-be thief would only have to crack the Password instead of both Username and Password.

    One bank (the small, local one) fixed the glitch immediately. The other much larger, country-wide one, took much longer to get around to it.

    Reply
    • Laurence Marks says:
      March 7, 2016 at 6:31 pm

      Dave wrote “Not precisely on topic but sometime back I noticed that if I typed in any character – ANY character – in the Username field of two banks at which I had accounts, a list of alphanumeric strings would be presented. If I typed in the 1st character of my username, my username was in the field along with other strings that were, presumably, other valid Usernames.”

      Dave, that’s function in your browser, not the website. You can turn it off if you like. Or else secure your computer just as you would your phone.

      Reply
      • Dave says:
        March 8, 2016 at 7:58 am

        Hmmm ,,, If that were the case, it’s interesting that without my doing anything to my browser or PC the lists of apparent usernames stopped being presented (below the Username field, not in it) after I notified the banks. I’m not saying you’re wrong but how would my browser/PC “know” other account holders’ Usernames?

        Reply
  5. Cal says:
    March 7, 2016 at 7:24 pm

    The big bank I go through has this issue: capitalization doesn’t matter, no special characters allowed, and you’re limited to no more than 12 characters in a password. Mentioned this to their support personnel, they are aware of this and embrace it because they offer “…you will be covered for 100% of funds removed from your accounts in the unlikely event that someone you haven’t authorized removes those funds through our Online Services.”

    I hate this.

    Reply
  6. James says:
    March 8, 2016 at 1:02 am

    Even worse is the password policy of a major Canadian bank, where they allow you to use both letters and numbers, but then convert all the letters to the corresponding number on the telephone keypad.

    Reply
    • ed horst says:
      March 9, 2016 at 7:45 pm

      Which Canadian bank? At least give a hint. Thanks.

      Reply

What do you think? Cancel reply

Recommended reads

Nov04
by Naked Security writer
2

Twitter Blue Badge email scams – Don’t fall for them!

Dec02
by Paul Ducklin
13

LastPass admits to customer data breach caused by previous breach

Jan11
by Paul Ducklin
7

Microsoft Patch Tuesday: One 0-day; Win 7 and 8.1 get last-ever patches

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP