Internet banking password. Is limiting the password length a security risk?

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Internet banking password. Is limiting the password length a security risk?

1 | 2 | 3

Inphinity

2780 posts

Uber Geek

#886501 29-Aug-2013 13:32

andrewNZ:
Once again, I do realise these concerns are bordering on ridiculous now.

There has to be a level of practicality and usability maintained. Nothing is going to be both totally secure and usable by the end user. As above, if you're concerned about someone getting (or even seeing) your access code and netguard card when you open your wallet, don't store both together. Even if they do, they need to know your password, or be able to guess it in <4 attempts. So have a reasonably secure password, and you're about as safe as it is practical to be. If you choose a stupidly obvious password, well, no amount of other precautions are going to save you from yourself ;)

andrewNZ

2487 posts

Uber Geek
Inactive user

#886506 29-Aug-2013 13:38

Goosey:
andrewNZ:
We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.

Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is.

Well that's good to know, I'm glad they rectified that.
I'd love to know if there's a limit now.

kendog

325 posts

Ultimate Geek

#886681 29-Aug-2013 18:36

andrewNZ:
Goosey:
andrewNZ:
We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.

Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is.

Well that's good to know, I'm glad they rectified that.
I'd love to know if there's a limit now.

I really think you have nothing to worry about using short passwords for banking.
Some simple things will help like mixed case, alpha numerical characters, using the first letters from a phrase, song or saying rather than an actual word. I use all the above and would be amazed if anyone could guess my 6 character password in three tries.

One final tip, make your banking password unique. As in don't use it for any other sites or work.

andrewNZ

2487 posts

Uber Geek
Inactive user

#886704 29-Aug-2013 19:15

kendog:
andrewNZ:
Goosey:
andrewNZ:
We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.

Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is.

Well that's good to know, I'm glad they rectified that.
I'd love to know if there's a limit now.

I really think you have nothing to worry about using short passwords for banking.
Some simple things will help like mixed case, alpha numerical characters, using the first letters from a phrase, song or saying rather than an actual word. I use all the above and would be amazed if anyone could guess my 6 character password in three tries.

One final tip, make your banking password unique. As in don't use it for any other sites or work.

I don't know quite how to convey my level of ability, let's for the moment just assume I'm pretty bloody clever ;), and I'm not offended in any way.

I'm more than familiar with password creation strength and best practice from a user side. I don't fully understand best practice for password handling from a providers point of view.

I also really don't get the whole "it's a bank, it'll be fine" attitude. Assuming something is OK just because it should be is not the way to look at things, it's dangerous, and it'll get you in the poo real fast.
I agree, it probably will be fine, but we should still be questioning things that look questionable.
It seems there are systems getting compromised every other week, and several high profile ones have been caught with plain text passwords in the database. You'd think it'd be a lesson to the rest, but the stories just keep coming. I fully expect to see a story about a big bank being caught doing the same thing. A system is only as good as the people who implemented it.

Really, I just don't think I should have to come up with a short password (which goes against everything I believe), just because the bank can't be arsed letting me use a longer one. If I want to type a novel, that should be up to me.

Goosey

2829 posts

Uber Geek

Subscriber

#886723 29-Aug-2013 19:59

Most banks are quite clear and public about how they implement security (obviously not in detail) but they like to say they have 'this and that'. Why dont you ask your bank or checkout their website etc.
Remember there is also onus on you to comply with your own security including protecting yourself against all types of virus and spying methods. The old saying 'clear your browser history and clean up the cookies etc'.

Inphinity

2780 posts

Uber Geek

#886729 29-Aug-2013 20:11

andrewNZ:
I also really don't get the whole "it's a bank, it'll be fine" attitude.

It's not a "They're a bank, it'll be fine" approach, it's a "They're a bank, which means there are regulations and requirements around security that they have to meet, and most are regularly audited on, especially if they're a member of the NZ Bankers Association", and having been involved with several of them during credit fraud investigations, I am confident that most of the major banks data security is kept to a high standard. It's also one of the industries that is most reliant on legacy internal systems still, due to the upheaval that upgrades and replacements of some systems entails, and I suspect this is a reason for password restrictions in many cases. Sure, it'd be nice to allow more flexibility on their passwords, but I have more confidence in the security of my banking login, than practically any other online credentials I use, due to the relatively random login name, password, and 2-factor auth for most loss-risk transactions.

andrewNZ

2487 posts

Uber Geek
Inactive user

#886731 29-Aug-2013 20:22

Inphinity: having been involved with several of them during credit fraud investigations, I am confident that most of the major banks data security is kept to a high standard.

Now that makes me feel a lot better. Thanks.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

kendog

325 posts

Ultimate Geek

#886953 30-Aug-2013 10:38

No offence intended andrewNZ.
I was just throwing out some tips for anyone viewing this thread.

I have worked for one of the big banks for 20+ years, 10 years in IT and the last 6 in online banking.

If all the banks follow our checks, controls and processes there is nothing to worry about. Online banking security is a very serious topic, given the transaction volumes.

My personal opinion, the need to increase password length and complexity is related to the surrounding controls applied at login and transaction completion.

lNomNoml

1807 posts

Uber Geek

ID Verified

#1303154 12-May-2015 20:55

2 years on and you still can't have a password longer than 8 characters, seriously what is up with that?

Really frustrating as I would like to changed my password to a more secure one.

kendog

325 posts

Ultimate Geek

#1304835 13-May-2015 21:43

lNomNoml: 2 years on and you still can't have a password longer than 8 characters, seriously what is up with that?

Really frustrating as I would like to changed my password to a more secure one.

For what reason do you want a longer password? It is no safer for banking.

insane

3237 posts

Uber Geek

ID Verified

Trusted

#1304839 13-May-2015 22:00

I questioned ASB on this a year or so ago and their view was that 8 non-case sensitive character passwords were enough due to users usernames/access codes being set by the user. So unless you have your username/access code written in your wallet and can't think of something creative under 8 characters they are probably correct in that it's still fairly secure.

Obviously not secure enough for business banking though as those passwords can be longer and are case sensitive.... go figure.

kendog

325 posts

Ultimate Geek

#1304890 14-May-2015 08:30

insane: I questioned ASB on this a year or so ago and their view was that 8 non-case sensitive character passwords were enough due to users usernames/access codes being set by the user. So unless you have your username/access code written in your wallet and can't think of something creative under 8 characters they are probably correct in that it's still fairly secure.

Obviously not secure enough for business banking though as those passwords can be longer and are case sensitive.... go figure.

Some businesses have their own policies around password requirements, so the banks may provide additional capability to meet these policies.
As long as the bank blocks access after 'x' failed attempts, it doesn't matter how long or strong the password is.

andrewNZ

2487 posts

Uber Geek
Inactive user

#1305366 14-May-2015 19:08

I'd totally forgotten about this conversation.

I realise that it isn't a security risk as such. But I do think it's totally ridiculous to restrict people to such short passwords. As I think I've already stated, the shortest password I use for low security purposes is longer than 8 characters, and if you knew it, you'd agree it is pretty basic.

mdf

3513 posts

Uber Geek

Trusted

#1305407 14-May-2015 19:54

Some fabulous arstechnica and wired articles on this subject:

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/1/

http://www.wired.co.uk/news/archive/2013-05/28/password-cracking/viewall

The usual way of calculating password strength is basically down to it's length and the types of characters used. This is true if you assume your hacker is going to apply a brute force attack for everything from "aaaaaaa" through "aaaaaz" and so on. But in actual fact, hackers apply a variety of "password recovery tools" with pattern recognition, dictionary list and password list algorithms to massively shorten the time taken.

Essentially, the *only* secure password is a genuinely random combination of letters, numbers and symbols, not using c0mm0n subst1tut10n5. Keyboard walks and any other kind of patterns are out. Even the xkcd battery horse staple thing can be relatively easily cracked using combinator attacks.

In practice, this means you need to use either a password manager or a really good mnemonic. And throw some random characters into the mnemonic just to be safe.

richms

28168 posts

Uber Geek

Trusted

Lifetime subscriber

#1305462 14-May-2015 20:51

Or be content in that they only get 3 or so guesses before it stops working for a period of time, or in some cases till you call them so that brute forcing the web facing login page isnt going to happen.

If you have the same password as your hobby forum and your login to your unsecured webmail then you are screwed no matter how long the password is.

If the bank gets taken and the passwords swiped off it, then who really cares that yours may crack a little quicker than others, because that becomes well and truly the banks issue.

Richard rich.ms

1 | 2 | 3