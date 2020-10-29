Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsFinance and wealth managementWestpac case sensitive passwwords
JonnyCam

583 posts

Ultimate Geek


#279633 29-Oct-2020 11:02
Send private message quote this post

I've asked Westpac a few times in the the last few years (since early 2018 when they launched Westpac One) why they don't have case sensitive passwords on their online banking.

 

They've responded in the past that increasing complexity just makes people write the password down, so it's less secure.  

 

Pointed out that their own security guidance on the site said to use a mix of upper & lower for a strong password. - To fix this anomaly, they removed that guidance :)

 

 

 

I was talking to them about something else - asking if they would consider their Online Guard OTP codes could be generated in the Westpac One app (fingerprint protected) instead of insecure SMS codes. 

 

Again, I brought the password issue, then asked if their staff need to use a strong password to login, and if so - why their customers don't get the same courtesy (I'm also not sure what the impact on their PCI compliance would be with me accessing their systems with a case insensitive password)

 

 

 

They have confirmed as of today, passwords are case sensitive. I've tested mine, but being cynical can someone else try their in the wrong case and see that it fails?

Create new topic
Yogi02
213 posts

Master Geek


  #2593152 29-Oct-2020 11:11
Send private message quote this post

Mines case sensitive - failed using wrong case.

timmmay
16536 posts

Uber Geek

Trusted
Subscriber

  #2593159 29-Oct-2020 11:21
Send private message quote this post

How could case insensitive password even work? For security passwords should be salted and hashed with the resulting hash stored, logins hash the password sent in to see if the user gets access. Case insensitive implies they used to store the password, or do something else tricky to work around the hash thing.

 
 
 
 


BlinkyBill
1061 posts

Uber Geek


  #2593163 29-Oct-2020 11:31
Send private message quote this post

Why is hashing/salting passwords more secure compared to using a complex password generated by a tool like 1Password? Aren’t there de-hashing algo’s out there?




BlinkyBill

timmmay
16536 posts

Uber Geek

Trusted
Subscriber

  #2593164 29-Oct-2020 11:33
Send private message quote this post

BlinkyBill:

 

Why is hashing/salting passwords more secure compared to using a complex password generated by a tool like 1Password? Aren’t there de-hashing algo’s out there?

 

 

If a company hashes and salts a password then stores the result they are effectively not holding a user password, and therefore they cannot leak it. Read up on SHA256 - a hash is a one way mathematical function.

JonnyCam

583 posts

Ultimate Geek


  #2593165 29-Oct-2020 11:35
Send private message quote this post

timmmay:

 

How could case insensitive password even work? For security passwords should be salted and hashed with the resulting hash stored, logins hash the password sent in to see if the user gets access. Case insensitive implies they used to store the password, or do something else tricky to work around the hash thing.

 

 

 

 

To be honest, I hadn't even thought of that part. I didn't have to save my password again, so they didn't remove case when I last changed it. What are the other tricks (except store multiple versions of a hashed password in different case combos)

darthkram
40 posts

Geek


  #2593167 29-Oct-2020 11:36
Send private message quote this post

timmmay:

 

How could case insensitive password even work? For security passwords should be salted and hashed with the resulting hash stored, logins hash the password sent in to see if the user gets access. Case insensitive implies they used to store the password, or do something else tricky to work around the hash thing.

 

 

 

 

The way to do this would be to convert the password to lower (or upper) case before it is hashed/salted. This way you can get around needing to store multiple versions/the password in plaintext.

 

When a user logs in, before checking against the stored hash just do the same operation on what the user typed in.

duckDecoy
155 posts

Master Geek


  #2593175 29-Oct-2020 11:54
Send private message quote this post

timmmay:

 

BlinkyBill:

 

Why is hashing/salting passwords more secure compared to using a complex password generated by a tool like 1Password? Aren’t there de-hashing algo’s out there?

 

 

If a company hashes and salts a password then stores the result they are effectively not holding a user password, and therefore they cannot leak it. Read up on SHA256 - a hash is a one way mathematical function.

 

 

This. 

 

Hashes used for password purposes are one way, you put text in one end and out the other end comes gibberish.  If you put the same text in it always generates the same gibberish.  But you cannot reverse it, you cannot take the gibberish and reverse it into the password. 

 

So the user enters their password, its hashed into gibberish, and that gibbersh is checked against the gibberish saved in the password database to see if the user has entered the correct password.  If the company loses control of the password database all the hackers get is gibberish, which isn't much help.

 

 

 

There are even better options, like SQRL.  In this case the server doesn't even store ANY secrets (password, username etc) so there is absolutely nothing to steal.  Private and public key checking prove to the server that it is in fact you trying to log in, and it lets you in.  Its bloody genius.  If anyone is interested in secure logins to sites I highly recommend taking a look:  https://www.grc.com/sqrl/sqrl.htm

 

 

 
 
 
 


timmmay
16536 posts

Uber Geek

Trusted
Subscriber

  #2593184 29-Oct-2020 12:04
Send private message quote this post

darthkram:

 

timmmay:

 

How could case insensitive password even work? For security passwords should be salted and hashed with the resulting hash stored, logins hash the password sent in to see if the user gets access. Case insensitive implies they used to store the password, or do something else tricky to work around the hash thing.

 

 

 

 

The way to do this would be to convert the password to lower (or upper) case before it is hashed/salted. This way you can get around needing to store multiple versions/the password in plaintext.

 

When a user logs in, before checking against the stored hash just do the same operation on what the user typed in.

 

 

Yeah, duh, that makes sense.

BlinkyBill
1061 posts

Uber Geek


  #2593190 29-Oct-2020 12:18
Send private message quote this post

duckDecoy:

 

...

 

Hashes used for password purposes are one way, you put text in one end and out the other end comes gibberish.  If you put the same text in it always generates the same gibberish.  But you cannot reverse it, you cannot take the gibberish and reverse it into the password. 

 

...

 

 

I’m with you, but I had understood you *could* reverse-engineer a hashed password. It’s a brute-force approach and takes time, and some hashing algo’s take a lot longer than others, but it is doable?




BlinkyBill

duckDecoy
155 posts

Master Geek


  #2593236 29-Oct-2020 12:37
Send private message quote this post

BlinkyBill:

 

duckDecoy:

 

...

 

Hashes used for password purposes are one way, you put text in one end and out the other end comes gibberish.  If you put the same text in it always generates the same gibberish.  But you cannot reverse it, you cannot take the gibberish and reverse it into the password. 

 

...

 

 

I’m with you, but I had understood you *could* reverse-engineer a hashed password. It’s a brute-force approach and takes time, and some hashing algo’s take a lot longer than others, but it is doable?

 

 

I'm not sure you could reverse-engineer it per se.  Hashes are one-way functions, they cannot be made to work in reverse.

 

What you can do is try all possible INPUTS (passwords) and see if you generate one of the hashed outputs.  If you get a match then you know the password (input) for that hashed output.  Theoretically you could create a huge table of all the input and output combinations, and if you steal a hash password database then you can look up the hash output to find the corresponding input (password).  But (a) they would be seriously(!) huge and take a long time to compute, and (b) sites often "salt" the inputs with some random additional stuff which means anyone who precomputed the input-output hashes using the known hash algorithm is out of luck because the didn't know to make this adjustment.

 

EDIT: clarity

Create new topic





News »

Huawei launches IdeaHub Pro in New Zealand
Posted 27-Oct-2020 16:41

Southland-based IT specialist providing virtual services worldwide
Posted 27-Oct-2020 15:55

NASA discovers water on sunlit surface of Moon
Posted 27-Oct-2020 08:30

Huawei introduces new features to Petal Search, Maps and Docs
Posted 26-Oct-2020 18:05

Nokia selected by NASA to build first ever cellular network on the Moon
Posted 21-Oct-2020 08:34

Nanoleaf enhances lighting line with launch of Triangles and Mini Triangles
Posted 17-Oct-2020 20:18

Synology unveils DS16211+
Posted 17-Oct-2020 20:12

Ingram Micro introduces FootfallCam to New Zealand channel
Posted 17-Oct-2020 20:06

Dropbox adopts Virtual First working policy
Posted 17-Oct-2020 19:47

OPPO announces Reno4 Series 5G line-up in NZ
Posted 16-Oct-2020 08:52

Microsoft Highway to a Hundred expands to Asia Pacific
Posted 14-Oct-2020 09:34

Spark turns on 5G in Auckland
Posted 14-Oct-2020 09:29

AMD Launches AMD Ryzen 5000 Series Desktop Processors
Posted 9-Oct-2020 10:13

Teletrac Navman launches integrated multi-camera solution for transport and logistics industry
Posted 8-Oct-2020 10:57

Farmside hits 10,000 RBI customers
Posted 7-Oct-2020 15:32








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.