I was thinking of creating a list like this of all the sites that (most likely) store passwords as plain text. I'd get the list by doing a password reminder and seeing if they email me my password.
Would be cool if that was added as a column here. I'd submit some sites.
But if they use a two way hash and the server is compromised one would presume the mechanism for un-hashing the passwords would also be compromised meaning it is almost as bad?
(? as my knowledge on security is somewhat limited)
The word here is "encrypt" or "cipher" not "hash":
> But if they use a two way cipher and the server is compromised one would presume the mechanism for un-encrypting [decrypting] the passwords would also be compromised meaning it is almost as bad?
It might be. It is conceivable that a site may use public key cryptography and store encrypted passwords, but have password recovery done on an independent system which has the decryption key.
(For our purposes, a "reset question" might also be considered a password because it is still something "you know" and to be differentiated from an email address which would be something "you have")
I'd give an admonishment to anyone who uses a password question from the standard set (mother's maiden name, etc.), even if it is hashed, because the data is so easily discoverable.
Nevertheless, the idea of a password question is so useful that I still support it on my sites. But our implementation is open-ended: you define your own question as well as its answer. I think this is better for anyone who is security conscious, but unfortunately it still allows the lazy or ignorant to be insecure.
However, a mechanism for sites that use the standard questions is to manufacture a set of fictitious names and use those everywhere. e.g. Father's name - "Keyser Soze". First car make and model, "Millennium Falcon", etc.
There is the overhead of remembering these but that is not too hard with some thought and repeated use.
That's a very good idea. This is something that bothers me a lot. It would also be a good place to educate people about the need to use a different password on each site.
One example of extreme login security that I've seen is with treasurydirect.gov. Password: min 8 char, 1 letter, 1 number, 1 special. Mailed key card: 7 x 5 alpha numeric grid with a random 3 char series ((A2, G5, F5) for example), 1 out of 3 sets of 10 digit numbers on your key card, 3 security questions on unrecognised computers (out of around 10 - you must remember which 3 questions you set and answer them appropriately), and to top it all off, no keyboard entry - you have a randomly ordered soft keyboard that must be clicked for all password and keycard entries.
Personally, I think it's overkill, but I'll admit that I wouldn't envy anybody tasked with getting someone's account.
Ever had a bank account in Switzerland? Swiss Post uses two-factor authentication with challenge-response for online logins.
First you enter a password, and you get a challenge code back. You insert your card into a device they send you, then enter the pin and the code. The device displays a response code that you enter into the website.
That's pretty good. My bank has something like that for their online data storage, except instead of a device that will give me the code (I could get that for $25 they say), they send me a sms with the code after I enter my password.
Charles Schwab takes long password but truncates them at 8 characters without telling you. I discovered this the hard way by trial and error when linking it in Quicken.
Sounds like a credit union I used to use that restricts the charset, is silently case-insensitive, and emails you your password if you go through the lost password dialog (it had been upcased). I sent them a letter chewing them out for this joke of security (about a year ago), and they still haven't changed anything.
I like the idea. I think it would be nice to also include sites that store passwords in plain text. I always email sites if they send me my password in plain text. Half the time they reply and say it's not really so bad. Half the time they reply and clearly don't understand why I would even care. I've yet to see anyone admit that it's a problem. If we get could get that solved, that would really be nice.
I do this too. The typical response is that they are forwarding my concern to their technical department, and I hear nothing further, and the issue never gets resolved.
That is kind of true - ING do call it a PIN. The thing is that all I can do with the PIN is to log on to their online banking site. That makes it a password in my opinion.
If I want to use my card at an ATM say, they require me to use a different PIN.
And the penalty for typing in the wrong PIN at an ATM is presumably a lot higher than providing the wrong PIN on their website, which means the feasibility of a brute force attack (which is what password complexity is all about) is entirely different.
No; 3 incorrect PIN entries on their website locks you out, and you have to get a reset. DoS of other people is made harder by also needing a customer number to login.
I believe that the logic behind ING direct is that by requiring you to use a mouse to click out your password it prevents key sniffers. And they show you a keypad being a bank.
There are banks that do this, but provide you with the full alphabet, as well as the numbers. The other banks that I've come across with this style also don't have a maximum password length. I believe that doing this would be an improvement - it gives you far more combinations.
There's really no point in restricting length or non-alphanumeric characters. They should be storing a salted hash, not the actual passwords, so the content of the password shouldn't matter.
It's really just laziness and incomptence on the part of the programmers.
And another thing that's incredibly irritating are these stupid sites that force you to type out your password (they don't let FF write it in the text field). How is that more secure! It just forces me to either use a simple password or write it down somewhere. My normal behavior is to use a totally different password for every site and let my browser manage it.
> There's really no point in restricting length or non-alphanumeric characters.
I agree, the only rationale I can think of for this is that these institutions don't want people to forget their passwords, but even then I don't understand why they would want that at the expense of security.
The irritating thing is that forbidding spaces discourages pass phrases. You can't use "the cat sat on my blue suede shoes", which is pretty secure yet easy to remember.
You could use "thecatsatonmybluesuedeshoes", but that may be harder to type accurately.
The argument I once heard for restricting length of a password (and possibly special characters) is that it would be harder to craft a buffer overflow (or SQL injection attack) with those limitations. I don't agree that this is a good solution, but it's not always good programmers/managers who are making these decisions. It at least sounds plausible.
That's a really bad argument. If password length is threatening to you, you have no business accepting passwords.
(Length also has almost nothing to do with SQL Injection, and you're plugging a raw password into an SQL query you're doing something very wrong anyways).
In order to get that hash you'd have to process the password in its entirety. But really, if they're that concerned about the buffer I see no reason to cap it at 8 or 10 rather than 1000.
Eh. That seems unlikely, assuming you're not writing your own routines. At most you'd get an out of memory error. I can calculate the SHA1 digest of a 1Bn character string without running into that problem.
So let's cap the length at 100k characters and call it a day.
Google, MSN, Facebook, Twitter - They all already allow
you to use anything you want for your password.
This is not strictly true - while Google et al might have a large set of permitted characters, there are nearly always restrictions on length. Google, for example, requires that their passwords be at least 8 characters long. While a long password does reduce brute-force attacks and shoulder-surfing, it nevertheless is a restriction.
Requiring long passwords is a restriction that leads to a more secure password. This site (it's called weakpasswords) is about restrictions that make your password less secure.
The site for my credit card requires a password that is no more than 6 characters -- talk about insecure.
The site for my credit card requires a password that is no more than 6 characters -- talk about insecure.
Not necessarily. Oftentimes banks will set a hard limit on the number of unsuccessful attempts you can make before they lock you out entirely. Then you have to phone them and jump through a number of hoops to prove you are who you say you are, and then reset the password. If they do a really good job preventing brute-forcing, then having an un-brute-forceable password is not necessary any more.
The easiest example of this is debit card PINs. They are usually only 4 numeric digits, and yet are trusted by banks for direct access to accounts. This is because a) banks have sophisticated systems to track brute-forcing and other kinds of abuse, b) longer pins are more prone to being written down, forgotten, and mistyped, and c) there are limits on how much you can purchase / take out per day, limiting the potential damage.
So you're saying that having more chars in the password or more number options in the PIN wouldn't increase security?
PIN requires you to possess a card with the account details and relevant security data. Yes they're clonable but you can't do a distributed attack on thousands of accounts that way.
Online, as many banks have leaked customer data, one can use a botnet to try common passwords against thousands of customer accounts (you may need to get account data elsewhere to do this or customer numbers may be guessable). 6 chars severely limits the passwords to try.
American Express is the worst offender. They don't accept my usually long passwords/passphrases so I had to conjure up a shorter password just for their system.
I cringe every time I log into the AMEX site. I cannot believe a financial institution as large and with the resources they have allows that kind of lax security. Even worse when you consider the business accounts that manage hundreds or thousands of corporate amex cards.
Yeah, ING Direct's password scheme is pretty lame. I assume the idea was to use a simple numbers-only on-screen keyboard to avoid keyloggers. Seems silly, since if malware were to target them it would obviously just track clicks instead.
Though to be fair, they ask additional security questions if you haven't previously logged in from that browser.
<megarant>Their model sucks. First I have to now remember (can be read as write down) a separate account number, a bunch of digits. Second I have to now create a PIN and I can't even use a keyboard to type it in.
Account creation at ING is also awful. I created my account, but did not yet "activate" it. Keep in mind that it did not tell me in any obvious way that I needed to take extra steps to activate the account. Once I tried to log in it started asking me questions like "What is your father's father's name?" and my answer was: you cannot possibly know that yet since I haven't told you. Eventually I figured that out.
Next comes the verification of my checking account. This was fun because I have a joint checking account and a joint ING account. Guess what: it made me AND my wife verify the same exact transactions. Seriously? It's just bad UX all around. Now that I've got it set up I am fine with using it, just the initial process was awful.</megarant>
Just 2 days ago, I got a call from Natwest bank (UK) from the credit card fraud team. Again. I duly called back and they explained that an attempt to use my card online failed at the Secure Code step. I explained to the caller that Secure Code is a piece of rubbish because it uses very weak passwords (alphanumeric only, 8 chars long) and it's the equivalent of protecting my money by wrapping it in a piece of paper. I refuse to sign up to it or use because it is so rubbish.
He couldn't care less. So I asked him to file a formal complaint about this point. I doubt he did.
It is actually kind of secure because the card processor never gets or knows your extra code, but the implementation is atrocious since it requires the website wanting your money to display a webpage from your bank. The odds of that page integrating nicely with the website's payment flow is kinda non-existant, and always sets my fraud alert spinning.
Visa calls it "Verified by Visa", actually. The common name is 3-D Secure. And yes, the implementation sucks, especially since you're dependent on the _issuing_ bank being able to keep their 3-D Secure server up (which serves the auth step).
Erm, Delta sure seems like an odd member of the list, doesn't it?
They require you to enter a SkyMiles number and a PIN, along with your last name... all of which is certainly not very secure information. But ultimately, all that gives you access to is viewing a person's SkyMiles account. It hardly seems to make sense alongside banking sites.
Access to a Skymiles account allows booking award tickets - in any name, as well as using any stored credit card to pay for part of the cost. I think it also allows redirecting email notifications to another address. I think the chances of catching the person responsible for a fraudulent use of such an account are higher than for a bank account, but the potential harm is pretty high.
How timely! Just last night I was frustrated by a stupid policy when changing my online banking password (my bank is now listed). I think his once-a-month policy could stand to be more aggressive, though.
Hey business owner. I see that you're using a faulty window lock on your back window and I'm concerned about my data. I took the liberty of posting on a town bulletin board details of this faulty lock along with other local businesses that have the same lock in hopes that the townspeople will pressure you into improving your window lock system.
Would be cool if that was added as a column here. I'd submit some sites.