- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
TRWTF is the stupid characters in the password. If someone is watching over my shoulder, they can pick up three letters a lot more easily than they can the whole password. Especially since most people type their password in about a second, and they are probably going to have to stop and think about the individual characters. With any kind of automated tool like a keylogger or packetsniffer, it ain't gonna make a difference. Plus, you either have to ask for the same three letters all the time or store the whole password in plain-text.
I can't think of a single advantage of the enter the Nth character from your password, or than it "feels" more secure to anyone who knows nothing about security.
Admin
Apparently Still Active
Edit: Beaten to it again sigh
Admin
I seriously doubt it - they couldn't ask for partial passwords if they did.
However, I think your password is probably one of the least important parts of information that your bank is holding about you, and doing one way hashes on your bank account balance might lead to a few difficulties...
Admin
Please tell me you are not serious.
I'll repeat what Mr. B said (slightly modified): I see your "look over the shoulder attack" and raise you a keylogger.
Admin
Yes, what a tragedy! I'd demand my money back if I were you.
Admin
9 does not equal 6, even for very low values of 9.
Admin
Admin
No string bets.
Admin
um, a keylogger doesn't log individual characters?
Admin
Whadda ya gonna do with em?
The keylogger doesn't know where the values fall in the password...it just knows three characters that are in your 6+ character password. It doesn't know which ones...so by the time you use those to figure it out, you've exhausted your login attempts.
Admin
That would imply that they ask for different characters everytime. Which would mean they DON'T have the password stored in a one-way hash.
Admin
Admin
Note that (if it's like the Natwest system) it does only ask for the password letters in order, so with enough sets of data (and knowing that they're all on the bank login page) you could create the original password without too much difficulty, but it requires lots of sets of data to do this, compared with just one set of data if the bank simply asks for the password.
Strangely, restricting the number of used characters actually makes this harder to do, just using 20 random 'a' or 'b's makes it much harder than using 20 different characters.
Admin
Yes, they ask for different characters every time.
Why should they store the password as a one-way hash?
That only helps if some malicious person has access to the database. If someone malicious has access to the bank's database, they've got much bigger problems than someone being able to see what your password is.
If Joe Hacker says 'Ooh, I've gained access to HSBC's database, let's see what campkev's password is', then they are seriously lacking in imagination...
Admin
This is different from the system in the article, and yes, I would agree that it is more secure. of course, the not asking for a particular character is kind of pointless. If they never ask for it, then the bad guys don't need it.
Admin
It depends on how Joe Hacker got access to the database, now doesn't it. Did he get the database from a backup off of a stolen developers laptop? Or did he somehow get access to the live database? In the second case, I agree with you, it makes no difference . However, in the first case, he can take an unencrypted password and log in as me and start transferring money out.
Admin
And the one that's never requested in full is probably stored in plaintext, which negates the security.
Admin
OK, but if he got it from a backup off a stolen developer's laptop, you still have the fact that he now knows all the names and addresses of people with lots of money in their accounts...
Of course, no one would ever lose a laptop with an important unencrypted database on, would they!
The fact is that it is MUCH, MUCH more likely that a home user will have a keylogger on their PC, or will be daft enough to access their bank from an Internet cafe/kiosk, than that a bank would let a developer put a copy of a live database onto their laptop...
Admin
From the bank's perspective, that's true. But I'd prefer to not give my password to the people the bank has decided aren't malicious - sysadmins, dba's, random employees who have database access through some WTF, ...
Yes, if they have database access, they can get to my bank info at that bank without needing my password. But what about all of the other places where I've used that same password, or a variant of it? Yes, I know, I should use a different password for every single site that wants one. But this is the real world, and in the real world there are too many sites, and my wife and I share access to them. So having totally unique passwords per site is not realistic.
Because of that, every software product I've ever developed has had a strict requirement that passwords should never be stored in plaintext. Ever. In some cases, there were even requirements about how long a plaintext password could be kept in memory.
Admin
Admin
Admin
Hehe... penetrating the backend.
My guess is each item has a unit (kg, box, bottle, etc), with "each" being the default. For some reason it's failed to realize that the price per unit isn't valid for "each" and printed it anyway, and that field was NULL, which converts to NaN. Perhaps someone decided to manually type in "each" as a custom unit instead of selecting it from a menu.Admin
The passwords are probably stored using two way encryption, just not a one way hash.
Anyway, using the same password for your bank as for anyone else is a huge WTF... I use the same passwords for lots of places, but the bank has something totally different. If you use the same password for your bank, then you are relying on every place you use that password to not store it in plain text anywhere (including logs). Doing that with a bank password is just foolhardy.
I have 3 main passwords, an easy one for those sites which don't really need a password (eg forums etc), and a couple of harder ones for shopping websites (depending on whether they store my card details). On top of that, each online bank I use has a totally different (and much longer) password.
Admin
Exactly. It doesn't matter how long your password can be if an attacker only needs 3 digits of it.
Using other things the account owner knows, like digits of their PIN number or letters from their favorite pet's name, makes absolutely no difference. Their original password could have just as easily been a concatenation of this information.
It doesn't matter where they come from; 3 digits, 6 digits or 9 digits are still just that. You can keylog or shoulder-surf that information just as easily as a traditional password. If you have a software keylogger in place, you could easily be capturing packets or the browser cache as well, so you would know which digits were entered if it does change. Even with only one session captured, if you go visit that bank website once a day until it asks for the same digits, you're in.
I agree with the person who said this scheme only feels more secure to users who don't understand security.
Admin
Am I missing something?
You've forgotten your PIN or your password. Suggested solution -- re-register which requires that you know... your PIN AND your password. Genius!
Side note -- it says it's a password for TELEPHONE banking so doesn't it have to be available to the telephone operators? So a one-way hash wouldn't work.
Admin
The issue is that it was edited as such. The original material was (we presume) correct, the editor made it wrong. That's a big mistake. I wouldn't expect an American to know British supermarkets, but I'd expect them to realise that "Sainsbury's" might be a business name not a place name, and thus to leave the text alone.
Admin
Reraising to keylogger that also takes screenshots. Many do.
Admin
Admin
I see your keylogger, and raise suspicions as to who the heck put a keylogger on my computer!
Admin
I found a WTF trying to open this link. My company blocked it as R-Rated. I was curious, was it just the article that was NSFW? Nope: [image]
Admin
[quote user="ThomsonsPier"][quote user="JC"they were hurtling down the M4 around J8.[/quote] Hurtling? I used to commute that way. The word you seek is 'crawling'.[/quote]
Actually, M4 J8/9 is a whole WTF in itself. It's the only junction in the UK motorway network that has two numbers (on the same motorway, that is. I know where motorways cross they have different numbers) and the A404(M) which goes off it has only two junctions, numbered 9A and 9B. See http://pathetic.org.uk/current/a404m/ for details. In a subsequent life, I used to be a courier. That area drove me crazy.
Admin
You are missing one of the big advantages of one-way hash. It not only protects the customer, it protects the bank. Customer is dumb enough to have is password stolen either through malware or just being dumb enough to write it down and lose it. He then claims that he didn't write it down and has no malware on his computer and is trying to blame an employee of the bank. Or bad guy who gets caught has a grudge against someone at the bank and "rolls over" on him to get a lighter sentence or just take someone else down with him. Life is a whole lot simpler when you can say, "Sorry, we don't even have access to your password ourselves."
Admin
Admin
Or the American News Anchor who announces a story from Australia. The reporter begins by explaining they are in a town in New South Wales (a state in Australia - in fact the state Sydney is in, so hardly an obscure fact). Once the clip is finished, the Anchor points out to the audience "That story was in fact from New South Wales, and not from Australia."
Admin
How's that gonna work?
Wouldn't it need your ENTIRE password to recreate the hash (if it used one)?
<TROLL!!!!> Maybe they've hashed each character individually. </TROLL!!!!>
Admin
I see your Keylogger, and take some happy snaps of your screen....
As for CAPTCHA - I almost always seem to have seen the ones people always come up with, adn have almost always thought similar things to what they do. I guess I'm not all that original after all....(I'm unique - just like everybody else)
Admin
But assuming you don't find the keylogger over some period of time, and that the bank always asks for the earliest characfter first, you can start to build up likely combinations.
That being said, people who want to steal your bank information have learnt that hacking a large network is more profitable - they can potentially get LOTS of bank information. A (standalone) home computer is of little interest to them (Consider how many people do banking at work - sure it's (supposed to be) harder for hackers to get in, but the rewards are far greater.
Frankly, if you're not running software to find and remove loggers and screen dumpers then you can't really complain. The best security a bank can have are the remote tags that generate a session code (my bank will send something to my mobile for change of detail 'transactions'). Someone then needs to know your details AND steal your token/phone....
Admin
I don't think banks really understand telephone passwords. When I created one with my bank, they never asked be how to spell it - yet each time since then they have. How do I spell a password that I didn't spell in the first place? The spelling SHOULD be irrelevant. This means the operator shouldn't have to enter it into their terminal, rather it should appear on screen with the rest of your information - you just have to pray that the person who originally entered your verbal password and the person now requesting it are on the same wave-length (try using something like lieutenant in places where some people pronounce it 'left-tennant')...Never really understood the point of verbal passwords.
As for encrypting the password, if it reallty is necessary, then even reasonably weak encryption may suffice. Unlike with encrypted text in large chunks, the frequency of letters in passwords is not the same as in normal english (vowels score much lower). While I wouldn't user a simple shift cipher, it would probably sufficient to have a string of 10 (or more - less than 26 in this case) characters, and 'add' the password to the first n of these characters (repeating them if necessary). Frequency attacks would be hindered not only by the extra options (numbers, both upper and lower cases and special chars), but also by the fact that the frequency distribution of letters is greatly changed from the norm (although I'd say something like @ would be a VERY frequent character)
Admin
So why do they try? Password entered in a text box should suffice. Why do banks require clicking patterns (or changing keyboards) on the screen. Why do they appear to spend so much time to appear secure - multiple failure=logout to combat brute force, this sort of stuff to avoid loggers, etc...
Maybe people are right - so that the customer has a SENSE of security, rather than actually having security.
I can detect how much light is coming off the monitor from a distance and work out what's on the screen from there....
Admin
TRWTF is that the title for this story is "Sooo Jealous " (note the extra space).
Admin
Oh wow.
I don't think you really understand passwords, security, or cost-effectiveness in relation to business.
Please, please, please be a troll (especially regarding 'The spelling SHOULD be irrelevant,' 'it should appear on screen with the rest of your information,' and the whole encryption weirdness).
Admin
I assumed he meant it should appear on the screen of the bank person, not the user (who is on a telephone, not a computer)...
But strange, nonetheless
Admin
Admin
I think the point is that he provided the password verbally when it was being set up without being asked for the spelling. Now he's being requested to spell it while using it, he's relying on the person who originally entered it to have spelt it correctly (considering that he has apparently managed to do this several times, I'd assume this was the case). This is a stupid way of going about things.
I think the problem is probably with not being asked to spell it originally though. If that was by design and the screen displayed the password to cope for it, it would be potentially possible for a charismatic malicious person to trick their way into using the right password.
Admin
Did anyone else pick up that asking a user to enter the Nth character of a password guarantees that the bank is storing passwords in cleartext?
Admin
Must be a pretty special one-way hash algorithm if it can get the same result from both the full password, and only three letters thereof. (Or else it only stores three letters of the password?)
At best, the three letters are stored in something you could almost certainly rainbow-table in a hurry.
Admin
While it suggests they, it doesn't guarantee it....
They may hash each character (or append something to it and then hash it).
They might be enciphering using basic encryption (substitution, shift, etc).
Expensive, but not impossible.
Admin
Not even expensive if it's simple encryption.
I suppose you start to consider why you encrypt/hash things (as mentioned by a plethora of people before me). Given the pin is (presumably) hashed, they can verify that the user knew the pin, so there is little fear that someone inside the bank is playing shonks.
If someone breaks their system to get a plaintext password, they would probably be able to get into far more interesting information than account details - in fact, they're probably in far enough to do everything a password would allow them to - and more.
Admin
I assumed he meant it should appear on the screen of the bank person, not the user (who is on a telephone, not a computer)...
And there are very good reasons for the bank person not seeing it, too. That was my point there.
Admin
I think the screen shot of ulster bank is particularly generous one I know I've tried to log on and I've been asked for the 5th, 1st and 10th digits of my password, effectively meaning you have to go through your password three times for a single log on, get it wrong twice and you're lock out and have to go through quiet a pain process to get your account unlocked, I really think it's one of those log on systems that you have to see in action to believe.