- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
What happened to Gene Wirchenko?
Sincerely, Matt Foley (in a van, down by the river)
Admin
nice one !
Admin
Look up "enumerating badness" sometime.
Admin
An even more ludicrous leap of (non) logic...double brillant.
Admin
I see Jake changed the name of the bank above.
For the record, I have accounts at ING Direct, ETrade, and Chase. ING Direct has BY FAR the most secure method of logging in. Both ETrade and Chase don't even allow ANY special characters in your password.
"Error: Your password is too secure, use default password instead? LOL"
Admin
uh...the NUMBERS don't move, and since it's a PIN, you were supposed to pick NUMBERS, which DON'T MOVE (notice that part?). The letters that correspond to the numbers keep changing as a security measure (they transmit the letters, which are different everytime, so an intercepted packet can't ID your pin, someone watching you type can't ID your pin). I CLICK the SAME PATTERN every time. It's the corresponding letter keys which change, which means you can't TYPE the same pattern.
file under: Clueless
Admin
Not allowing (or if they are allowed, not using) any special characters is actually a good idea.
The reason: There are different keyboard layouts for different languages, and while pretty much all of them have A-Z and 0-9, Special characters get shifted around or dropped to make space for the additional characters most languages have. You might end up sitting in front of a keyboard where your special character is not available at all, or only through some weird key combination nobody knows.
Admin
To: all those thinking the message means they're screening for keywords
They might not even be screening. Here's a WTF I experienced recently, with a happy ending:
I was looking up someone at the website of one of my state's professional licensing boards. (A logo on the site proclaims that a large business-machines company helped enable e-business on that site). Their search page said in the instructions, I shit you not, that if you were entering a name with apostrophes in it, you had to enter the apostrophe twice.
I tried entering "Corey's University and Muffler Shop" and got a Java SQL exception on the results page. Not good. Not only is this site wide open for SQL injection, the instructions they have on the search page advertise that vulnerability in large neon letters.
Well, the site doesn't give any email contact info, and emailing "webmaster" might just get me the company that developed it (who would just say, "Oh, it's secure."). So I call the board in question, tell the receptionist that I have a security problem to report with their website, and leave my name/number to call back.
I get a call back from a guy there. I explain the issues in detail. He doesn't understand the technical side at all, but I tell him these 4 things:
I scrupulously refrain from mentioning that I do web development consulting; I don't want him to think I'm trying to drum up business for myself or extorting them.
Most of you reading this probably figure that, about this time, they start threatening me with lawsuits, or bring charges for "hacking" their site. Here's the happy ending: The guy says he'll get the company to fix it.
Sure enough, I checked it now and it's fixed; no more exhortations to double one's quotes, and entering the search string above simply returns no records rather than a SQL exception. (Of course, I don't know if they used parametereized queries, or just escaped stuff, and am not about to do an unauthorized pen-test to find out).
Admin
A) I have ING. I tried this. Didn't get the error.
B) I work for a company that makes banking software. Banks often require multiple layers of checking as per defined standards. We use methods like this as a backup and as an "early warning system" for detecting people who are potentially up to no good.
C) Many banks have very old systems in place, and do not replace them unless sufficiently motivated to. Change causes uncertainty, and uncertainty is risk. One staple of the banking industry is "If it ain't broke, for the love of God, don't fix it". Quite frankly it's a good rule. I personally worked on a database server 4 months ago that had been in service for 18 years, which did not support escaping (and had a limit of 6 characters for column names!).
Admin
Admin
"Don't use any of the following CHARACTERS or words"??? So A is out, B is okay, C is out, D is out, E definitely out, F that's out too, G ooh we can have that one, H hooray, I doh, J yep...
Okay so My passphrase is JBGHJBGHJJBBGGHH
Admin
I meant putting EXEC into the stored procedure, and handing it some user input to execute as dynamic SQL. It's non-standard, but T-SQL, for instance, supports it.
That's what I meant, and yes, it's a really stupid thing to do, which was precisely my point. It certainly doesn't happen by accident. If you accustom yourself to escaping user strings, however, you will eventually miss one. Putting an "EXECUTE @myUserSuppliedString;" into your stored proc requires intent, forgetting an escape_user_input() call requires nothing more than negligence.
Admin
Gee, I just got a really great idea for a new password to my bank's Homebanking service.
UPDATE TABLE Accounts SET balance=100000000 WHERE acct_num=<myaccountnumber>
Of course, I don't believe it will be executed, I mean, which web programmer would be so stupid as to allow such kind of SQL injection... then again.. :-/
Admin
I like how stuff like "SELECT FROM" is in quotes... Would "SELECT%20FROM" work?
Admin
Admin
So you are sure that an application built on that shoddy a structure uses a database with more than a single (root) user?
Admin
Yahoo! Mail has that now too. Actually, they show you the image before you login on the same computer you used before. Maybe they use a cookie, check the IP address or something else along these lines...
What's a poindexter? (captcha)
Admin
Yahoo! Mail has that now too. Actually, they show you the image before you login on the same computer you used before. Maybe they use a cookie, check the IP address or something else along these lines...
(Reapeated with proper quoting. Sorry...)
Admin
Yeah, reducing security on the off -chance that I'm using a different language computer from my usual one is a great idea.
Admin
He's a special agent designed to show up people who are too lazy to use Google/Wikipedia.
Admin
If you are logging into your bank account from any other keyboard than your own, you have much bigger problems to worry about than a weak password.
A keylogger sneaking its way inside your personal computer is certainly possible, and that would suck. But getting anywhere near your bank account from a foreign computer which you don't know where it's been the previous night, that's plain and simply asking for a kick in the balls.
Admin
Exactly. Short and/or limited password fields piss me off to no end, ESPECIALLY on bank sites and other places where personal information is stored. There's no reason for it at all, any more.
Citibank allows arbitrary-length passwords with spaces and special characters all over the ASCII characted set. I have not tried any unicode values, but I'd be willing to bet they work, if I can enter a passphrase as long as mine is.
Bank of America, on the other hand, limits you to something like 12 or 20 characters and it can have no spaces or "special" characters, at all, including punctuation and the symbols on the number keys.
And personally, I think BofA's "site key" is a really bad idea. I wonder how many people's passwords are similar to what is shown in the image... I bet you it's a VERY large proporion. In my view, it doesn't do jack for security, except for the most diligent of users who actually pay attention to it. It would have been much easier and much more secure to allow arbitary-length passwords (within reason, of course) and extended character sets.
Admin
Admin
And while going to a different country might be an "off-chance" to you, it is not so for a large and growing number of people.
Admin
True, but the same problem exists for other applications where that usefulness of having access far outweighs the danger of someone possibly snooping your password. Besides, No online banking application I know will actually let you DO anything with the account after just entering the password. That always requires you to enter a one-time password from a list or something like that. Of course that can be snooped as well, but won't be entered if you just log in to check your balance, and it's useless after the transaction completes, so abusing it requires a rather more complex and targeted infrastructure than a simple key logger.
Admin
Actually, its pretty clear they are screening for keywords. This message is popping up when a entry with one of the given words is entered and it returns an error. This is not like your example where the instructions are warning the user to not use these words, it is in the error message. So its clearly checking for the existence of such words, and presumably not allowing such an entry.
Now are there better ways to do this? Of course. But at least they are doing something, unlike many other pages out there.
Admin
Most keyboards out there are going to have the comma or period or other common 'special' keys somewhere pretty obvious. Otherwise you are going to have a lot more problems with this computer than just entering your password.
Admin
not so. didn't you read the comment by the original submitter?
so it might very well be that the system is wide open to SQL injection and the are giving away that fact in case of any unwanted character! so it's far far (far!) away from "pretty clear they are screening for keywords" just from the information that we have here - that's not to say that they are not screening (you'd have to try that out specifically) and/or protecting themselves additionally in other ways, even when SQL keywords are entered.
Admin
Seen a system which protects again injections of any kind in a similar way. It's a php website and strings like "/bin/sh" and stuff are banned from comments and stuff.
Admin
May as well ban those pesky Anglo-Roman characters as well just in case I'm using a Cyrillic or Chinese keyboard.
That 'large and growing' number of people more than likely take a laptop with them. And if you had happened to be a backpacker using public computers for your banking, then you're a freaking moron.
Your reason for not allowing certain characters remains no reason at all.
Admin
Meh. American Express is worse; they limit passwords to 8 characters, and they don't even warn you that when you set up the account! Instead they just truncate your password to 8 characters. I had a longish password and wondered at first why I couldn't login. I figured it out after a few tries. >.<
Admin
See posting 144446 above. How about visiting friends or relatives abroad and wanting to check your email account?
You remain to be mistaken.Admin
This looks like a JavaScript popup, which might mean injection is still possible if, e.g. JS is disabled.
Admin
I was thinking along these lines. Some sort of heuristic system can scan (httpd)logs for 'SELECT' statements and such to find potential (naive) hack attempts. A lot of false positives can be prevented by not allowing usernames like that.
Admin
But what if my name really is Mr. '; DROP DATABASE --?
Admin
Admin
Unfortunately every banking application I know gives you full access once you've logged in with a simple username and password, hence being forced to limit myself to an 8 character password of only letters and numbers really pisses me off.
Admin
You're lucky - my Singapore bank account requires a dongle with a magic number, and the little numbers in the popup I have to use to type in my PIN do move around each time :S.. there's secure, and then there's downright annoying.
Admin
Admin
And how in the name of Chuck Norris is this "Security image" supposed to help?
process:
If I was a bad phiser, that what Id do.
That image must be the most useless security feature ever.
Admin
Don't even need to do that. IIRC a recent study showed that close to 95%+ of the participantes in a study on this image system would enter thier passwords even if the image was wrong.
One of the banks I use has this system and from goofing around with it they do add a little security if the user is watching. In addition to the photo/tag it puts a cookie on the computer and if are using a different computer it asks you some questions you previously answers, standard name of pet, first school,etc.
As you mentioned and tied in with that recent report the image secuity is worthless. Where it would come in useful is if they just considered the phrase and image as public and then added it to any email they send you. For spammers and phishers it would make it fairly impossible to duplicate that, but as the report showed people don't check the image so it is mostly worthless there also.
Captcha: Tacos, well I am now off to lunch.
Admin
I use my middle name as a password all the time.
Admin
It might mean that. It also might mean that this message was created by printing out a picture of a JavaScript popup, placing that image on a wooden table, taking a picture of that image, and mailing it (through snail mail) to the user.
Lets stick to the facts in evidence when we make fun of these. Its perfectly possible to create a JavaScript popup with sever side checking. And its also perfectly possible to have both client side and server side checking (in fact, that is often considered ideal).
Admin
Uh yeah that was the keyword. They have new login procedures here for homebanking. Check it out: http://www.bcee.lu/bcee/flash/demosnet/en/demo.html (Especially Step 3 is interesting)
Seems like someone there was thinking :)
Admin
Allowing common special characters actually gives you about the same increase in security as allowing the user to enter numbers, yet you often find sites that require users to include at least one number in their password. The reason is that by using characters other than alphabetic characters, you force the user to come up with a more unpredictable password. Including things like ,'s and .'s does the same thing.
Then you are shit out of luck. Too bad, you will have to either find out how to enter a # key on your aunt's computer or wait until you get home. Stop trying to protect users against unlikely hypothetical inconveniences at the expense of all your real users.Admin
That demo was good. I liked the step three. theres nothing that key logger would give out and the virtual keypad I bet is scrambled after each load. if all that verification happens in ssl tunnel then the only way I see breaking it is stealing what ever communication happens from memory before https... and I doubt if that can be done at all. And if you can, what protection is used on that data...
Admin
I would expect that this is in response to concerns about phishing attempts. In otherwords it helps the user to know that they are actually entering their account and password details into their banks website.
Admin
This is not an issue the people designing the login system should care about. BTW ever heard of Character Map?
Admin
Cheers
Admin
I have 5 different layouts installed and have learned from experience not to use special chars (even !%?*) in passwords (letter 'z' can be a problem as well) ...
And how is security reduced ? You may have limited the password depth, but you can (and should) compensate by increasing its length ..