Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.
Is that possible with a bank password? They lock after three failed attempts. In that scenario, does it matter if the password is short?
Probably not I suppose.
I'm more worried about how they store it. Yes banks are supposed to be secure, but that doesn't mean they are. Lets say someone manages to get hold of one of these databases, and it turns out the passwords are plain text. They will have a field day.
Yes, there's a guarantee, and so probably no long term loss, but imagine having no access to your money for maybe a week or more while they try to work out what the hell went wrong.
Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.
Is that possible with a bank password? They lock after three failed attempts. In that scenario, does it matter if the password is short?
It depends partly on what the unlock procedure is, and just how short we're talking. Most of the banks seem to require you to contact them to get the account unlocked, which is a great counter to any sort of brute force attack. In a non-banking situation where, say, getting it wrong 3 times is a 5 minute lockout, unless there's a notification to you that it got locked, the attacker could potentially just keep retrying. The lockout in this case would just extend the time required.
Then it depends on how short the password is, and what acceptable characters are. Again, no bank as far as I'm aware would allow it, but if we were talking a 3-digit PIN, for example, and you get locked out after 3 tries, you have a 0.3% (3 guesses out of 1000 combinations) probability of a successful guess in your 3 attempts before the first lockout. With 3 guesses before a 5 minute lockout, you're looking at just under 28 hours even if it is the final possible combination that you get correct. If it were, say, even a 5-digit PIN, that probability would be 0.003% (3 guesses out of 100,000 combinations). Again, with 3 guesses before a 5 minute lockout, you're talking over 115 days, assuming again the final possible combination was the correct one. Of course, there is always the possibility that someone could guess your PIN/Password within those 3 guesses, but it's all about making the probability of that as low as possible.
But, again, if the lockout is more than a basic timer until it unlocks, well, then we only have the 'probability of successful break before lockout' to worry about - but again, a longer password results in more potential combinations, and thus a lower probability of random guess to get it right.
Let's take a simple use example of a bank that allows an 8 character case-insensitive alphanumeric password, and locks you out after 3 incorrect attempts, requiring you to contact the bank to unlock it. There are a bit over 2.8 trillion possible password combinations. That's, uhh... in practical terms, a near-zero probability of guessing it correctly in only 3 attempts. Again, though, with the same criteria except length of 4, there's just under 1.7million combinations - while it's still relatively unlikely to be guessed, it's orders of magnitude greater than the length 8 example.
So, simply, for practical purposes it depends how short, and also whether the attacker is making random guesses, or has some sort of base seed - perhaps they've seen you type it, and know that 3 of the 5 characters are g, y, and 7, but aren't totally sure on the order or what the other 2 characters are.
andrewNZ: I'm more worried about how they store it. Yes banks are supposed to be secure, but that doesn't mean they are. Lets say someone manages to get hold of one of these databases, and it turns out the passwords are plain text. They will have a field day.
None of the major banks are storing your password in plain text. I have no idea what smaller, localised banks are around, and what they may be doing. Most of the banks are using a one-way hash. Some may be using reversible encryption.
JamesL: BNZ use two factor as well so length really isn't an issue
It may be the core banking system that requires the limitations
I hate BNZ's two factor with a passion (so much so I don't bank with them any more), with their system, the crappy password is still the main security in many situations. Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card. You're instantly relying on a password between 6 and 8 characters long to protect you. And you know in that situation, if someone gets in, you're going to have to fight to get the bank to stump up.
andrewNZ: Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card.
Can I suggest not storing information you consider sensitive in plain text in an unsecure location? ;)
andrewNZ: Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card.
Can I suggest not storing information you consider sensitive in plain text in an unsecure location? ;)
Don't take all this the wrong way, I'm security conscious, and I'm certainly more technically clued up than the average person. I realise these concerns are bordering on ridiculous, but they are still valid.
I don't consider a wallet secure at all, wallets can get lost or stolen, but I don't know of any other more secure way of transporting my cards. I also don't know any way of encrypting the cards. So I'm down to storing these things on my person in a smallish leather holder, or separating them, and seriously limiting where I'd be able to use this "secure" service. No more internet banking on my personal device when I'm not at home.
JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password
So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it). And were back to the original problem, a poor password, 6-8 characters in this case.
andrewNZ:Don't take all this the wrong way, I'm security conscious, and I'm certainly more technically clued up than the average person. I realise these concerns are bordering on ridiculous, but they are still valid.
I don't consider a wallet secure at all, wallets can get lost or stolen, but I don't know of any other more secure way of transporting my cards. I also don't know any way of encrypting the cards. So I'm down to storing these things on my person in a smallish leather holder, or separating them, and seriously limiting where I'd be able to use this "secure" service. No more internet banking on my personal device when I'm not at home.
It depends how far you want to go. Personally, I store my netguard content encrypted on my phone, so to get both my access number & netguard card, someone would need to steal my wallet, and my phone, and work out the unlock password for my phone & the decrypt password for my secure storage. Probablity of these events is incredibly low. Even with Mobile Netguard enabled on the app, they'd still have to steal my phone, work out the unlock password for it, and the login password for the bank app.
JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password
So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it). And were back to the original problem, a poor password, 6-8 characters in this case.
BNZ passowrds are case sensitve, can be letters and numbers. 8 characters is going to take a very long time to brute force crack (years?). I am sure you'll notice you're missing wallet and report the cards stolen by then. Plus after 3 incorrect login attempts you get locked out.
JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password
So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it). And were back to the original problem, a poor password, 6-8 characters in this case.
BNZ passowrds are case sensitve, can be letters and numbers. 8 characters is going to take a very long time to brute force crack (years?). I am sure you'll notice you're missing wallet and report the cards stolen by then. Plus after 3 incorrect login attempts you get locked out.
Once again, I do realise these concerns are bordering on ridiculous now.
While I do agree, there are still a few points about that I'd like to make. 1) Your wallet doesn't have to be missing, someone only needs a copy of the two things, a photo will do. No need to report something stolen if it isn't missing.
2) You still need to memorise a password (unless you're silly enough to write it down), which makes most passwords a lot less complex. Yes there are still a lot of possibilities, but we've already established that bruteforce probably won't work, so we're down to educated guesses, which can be pretty effective if you have time.
3) IIRC the Netguard cards are replaced every 3 months, that's a pretty long time to be able to research or probe someone.
andrewNZ: We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.
Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is.
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly
to your computer or smartphone by using a feed reader.
