Sophos Cloud Optix
With many US banks, what you see in your password field may not be what you get.
That’s according to recent research by student researchers at the University of New Haven’s Cyber Forensic Research and Education Group (UNHcFREG).
The study’s developers created a fairly simple test: Are the financial institutions’ passwords case-sensitive? Eleven US banks passed their test. Six failed.
In other words, MyPass2015, mypass2015 and myPAss2015 are all treated as if you’d typed MYPASS2015.
With 10-character passwords, the total number of different possible passwords, known as the password space, shrinks. If you choose 10 characters from A-Z, a-Z and 0-9, you have 62x62x62…x62 (6210) possibilities. But with A-Z and 0-9, it’s 3610, about 250 times fewer.
That may not sound terribly significant, but it does mean that the password you type isn’t actually the password that’s used, and isn’t quite as strong, which gives rather a false sense of security.
The study’s authors found it tricky to query this matter with some of the banks:
…we attempted to contact the banks to inform them about this issue and tried to ask for a statement why they decided to pursue a weak password policy. It turned out that it is almost impossible to contact and notify them about a security issue – we couldn’t find any email address or phone number to report this security issue.
Working through regular bank hotlines, UNHcFREG found one institution unsure of how its own passwords actually worked:
One organization was adamant that they have a case-sensitive password policy, but our testing showed otherwise.
We can’t see the need for pre-conditioning passwords in this way, and we advise you not to do it, especially if you allow your users to enter a mixed-case password without any warning that it’s not actually the password they’ll be using in practice.
We suggest if users are willing to put some additional complexity into the their paswords, welcome it!
(Oh, and please offer your users two-factor authentication as well if they’re going to be sharing important personal information with you.)
LEARN MORE ABOUT 2FA
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
Image of Password courtesy of Shutterstock.com
I’m wondering if another variation still occurs: taking only the first N characters of your input. You type in a 20 char password and then they only compare with the first 8,10 or 12 characters. Too bad they did not test that at the same time. Ande it’s good that they mention the actual banks – the time is long past where we should still have tolerance for these issues.
I’ve been trying for years to get my bank to accept more complex passwords (more characters, special characters) but my pleads fall on deaf ears. Two factor authentication??? They can’t even relate to it. It is time for me to change banks.
For FIs that outsource their online banking, this is becoming a huge vendor management issue. The inability to create complexity requirements increases transaction and reputation risk.
Not precisely on topic but sometime back I noticed that if I typed in any character – ANY character – in the Username field of two banks at which I had accounts, a list of alphanumeric strings would be presented. If I typed in the 1st character of my username, my username was in the field along with other strings that were, presumably, other valid Usernames. Until that date, it had not been that way, i.e., no list of any kind presented, as it seems it should be, and I attributed the glitch to recent website maintenance.
I notified both banks of this “change, pointing out that a would-be thief would only have to crack the Password instead of both Username and Password.
One bank (the small, local one) fixed the glitch immediately. The other much larger, country-wide one, took much longer to get around to it.
Dave wrote “Not precisely on topic but sometime back I noticed that if I typed in any character – ANY character – in the Username field of two banks at which I had accounts, a list of alphanumeric strings would be presented. If I typed in the 1st character of my username, my username was in the field along with other strings that were, presumably, other valid Usernames.”
Dave, that’s function in your browser, not the website. You can turn it off if you like. Or else secure your computer just as you would your phone.
Hmmm ,,, If that were the case, it’s interesting that without my doing anything to my browser or PC the lists of apparent usernames stopped being presented (below the Username field, not in it) after I notified the banks. I’m not saying you’re wrong but how would my browser/PC “know” other account holders’ Usernames?
The big bank I go through has this issue: capitalization doesn’t matter, no special characters allowed, and you’re limited to no more than 12 characters in a password. Mentioned this to their support personnel, they are aware of this and embrace it because they offer “…you will be covered for 100% of funds removed from your accounts in the unlikely event that someone you haven’t authorized removes those funds through our Online Services.”
I hate this.
Even worse is the password policy of a major Canadian bank, where they allow you to use both letters and numbers, but then convert all the letters to the corresponding number on the telephone keypad.
Which Canadian bank? At least give a hint. Thanks.