Banks still don’t get online security

I was changing my Chase account password online when I came across this mess.

Change password page

And establishment IT strikes again.

You idiots still don’t get it

I can understand this limitation for usernames, but passwords too? Clearly, Chase thinks it knows better than people who want to take a proactive approach to their passwords.

Between bunny123, MonkeyWrench5875 and cNF7k=RsF$M4p which do you think is the more secure password? Hint: The one not likely to show up pre-hashed in a Rainbow Table.

This forced dumbing down is just because whoever wrote it, clearly didn’t bother with or wasn’t able to put it proper filtering to make sure there’s no SQL injection taking place.

I don’t believe there should be any limits up to maybe 600 characters since hashing is universal. I should be able to write a password in Kanji or Sanskrit if I so please and maybe even an entire sentence with numbers. Why in the name of all that is holy would you be this lazy with something simple like a password?

Is it any wonder that financial institutions are being targetted by hackers as ruthlessly as they are? They know the banking world is full of these. If you’re trying to advise customers with security procedures, why would you put in this glaring shorticoming? Whoever came up with this limiation should be fired on the spot. If your banking software is as archane as your security, then what else is hiding in there?

If you want to create passwords that are impossible to guess, yet easy for you to remember, try out my password generator. You can take a phrase like “Scooby Doo Where are you” and turn it into a password like s19D4@w23a1$y25 with all the bells and whistles turned on. Make passwords out of lines from out-of-print books, some secret shared with a loved one or even a phrase in another language transliterated into English (my favorite technique).

Of course, no secure password in the world will help you if the institutions you depend on aren’t willing to accept them for stupid technical reasons.

7 thoughts on “Banks still don’t get online security

  1. With your password generator, I get the password generation bit, but once we have our secure password, what’s our trick to remember it? Are we to plug the same phrase into the password generator with the same settings each time we need to recall the password? Or am I missing something obvious? Or is it just what it says it is – a password generator?

    • Humans just don’t remember random bits of string, especially passwords, nor are our brains built for that purpose. What we do remember is the original piece of cloth the bit of string came from.

      The idea is to remember the phrase that generated the password, not the password itself. ;)

      In the generator page, there’s a link to an older post I made on mnemonic password generation. This utility is just a handy tool to expedite the process, but you could do this with just a pen and paper. Of course you’d have to destroy the paper after you’re done re-generating the password from your mnemonic.

      • So we use the utility, put in our remembered phrase, use the same settings as we used to create the password, and out pops our secure password time after time. Do I have the concept now? And is this little utility of yours in the App Store yet? ;)

      • That’s exactly how I’ve started generating my passwords: a Chrome plug-in that generates a hash from 1) a master password, and 2) the base URL of the site I’m logging into. So far I really, really like it…except when I encounter some asinine password requirements, like for BANKING WEBSITES SJDfewajg9r8j23W48AJFKACVragequit

      • Infuriating isn’t it?

        It’s just lazyness, pure and simple. When some people are comfortable with what they know, they’ll fight tooth and nail to not know more since the more you know, the more they’ll be doing.

        The danger of tenure in the IT industry.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s