Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.



ForumsFinance and wealth managementASB online banking passwords not case sensitive!
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7
kendog
325 posts

Ultimate Geek
+1 received by user: 61


  #989098 17-Feb-2014 18:38
Send private message

Why do strong passwords matter when you only get four attempts to login before the access is locked?
My password is not strong, but I can't see how my banking is at risk.



richms
28343 posts

Uber Geek
+1 received by user: 9325

Trusted
Lifetime subscriber

  #989264 17-Feb-2014 22:02
Send private message

Also the support costs and added bad-will because of people getting locked out because they don't understand what case sensitivity is would be huge compared to the small chance someone may see someone type their password but not know if that was a capital or not and get in before locking the account out.




Richard rich.ms

tardtasticx
3081 posts

Uber Geek
+1 received by user: 477


  #989274 17-Feb-2014 22:21
Send private message

richms: Also the support costs and added bad-will because of people getting locked out because they don't understand what case sensitivity is would be huge compared to the small chance someone may see someone type their password but not know if that was a capital or not and get in before locking the account out.


We pay fees for a reason, I'm fairly sure they have enough spare cash to do a password reset every so often. Plus, the majority of people know what upper and lower cases are. Most places require upper and lower case characters in passwords already, so I'm sure those few people will be used to it soon.



ASBBank
37 posts

Geek
+1 received by user: 38

Trusted
ASB

  #989291 17-Feb-2014 22:31
Send private message

Hi everyone and please allow us to contribute to this discussion on password features. We have been reading your comments and have interacted with many of you previously on this issue when you have raised your concerns directly with us. We acknowledge that customers want to be able to use longer passwords and passwords that are case-sensitive. As a few of you have already pointed out, two-factor authentication is available either by SMS or token if you'd prefer an extra layer of security each time you log in. Some risks to password authentication, such as phishing and theft by malware, are not solved by stronger passwords so two-factor authentication remains a good option.

We currently have a programme underway which will address many of the concerns raised here. At present we don't have concrete delivery timeframes that we can share with you, but we undertake to do this when we are able to. Password security is a complex area, and as it affects nearly all of our customers, we want to make sure when we introduce changes that we get it right. For those of you who would like to be involved in user testing an early release, please email us at social.media@asb.co.nz and we will be in touch closer to the time.

We do reiterate that two-factor authentication is an option you can enable at login. There is no charge for the SMS messages, or if you prefer a token there is a monthly $1 charge (ideal if, for example, you travel overseas). This can be enabled within FastNet Classic via Personal Details/Set Netcode at Sign on. You can also set your Netcode daily limit to be as low as you like (down to $1) depending on your risk appetite. This will trigger a Netcode for those eligible payments over that cumulative daily limit. Lastly, our fraud team is constantly on the go behind the scenes, reviewing suspicious transactions and alerting customers about unusual activity on their accounts.

Thank you again for all the frank feedback and comments on this thread, and we look forward to sharing the changes with you when we are able to.

- Fiona Colgan, General Manager Digital




Social Media team, ASB Bank Ltd www.asb.co.nz/social

richms
28343 posts

Uber Geek
+1 received by user: 9325

Trusted
Lifetime subscriber

  #989311 17-Feb-2014 22:46
Send private message

Can we just PM you our customer ID to get in on anything new and improved instead?




Richard rich.ms

johnr
19282 posts

Uber Geek
+1 received by user: 2526
Inactive user


  #989323 17-Feb-2014 23:04
Send private message

richms: Can we just PM you our customer ID to get in on anything new and improved instead?


Not that simple as often documents need to be signed

insane

3258 posts

Uber Geek
+1 received by user: 960

ID Verified
Trusted

  #990057 18-Feb-2014 22:47
Send private message

ASBBank: ......Thank you again for all the frank feedback and comments on this thread, and we look forward to sharing the changes with you when we are able to.

- Fiona Colgan, General Manager Digital


Hi Fiona, thanks for the comments, I'm glad its been brought to your attention and that you are looking to make improvements to simply using basic crypt.

Given the awareness should we expect your website to be updated to remove mention of case sensitivity being employed?

 
 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
ASBBank
37 posts

Geek
+1 received by user: 38

Trusted
ASB

  #990802 19-Feb-2014 22:13
Send private message

insane:


Given the awareness should we expect your website to be updated to remove mention of case sensitivity being employed?



 

Thanks for your question. That particular wording you’ve linked to in the first post on this thread actually refers to FastNet Business, our internet banking platform for business customers. Our website is correct - those passwords are case sensitive and should be 8-10 characters in length. Our primary focus in the programme mentioned above is on FastNet Classic.  We’ll keep you posted! Thanks - FC

Kyanar
4089 posts

Uber Geek
+1 received by user: 1683

ID Verified
Trusted

  #990850 20-Feb-2014 00:03
Send private message

Talkiet: I raised the issue with Westpac a while ago and didn't let go... Their "security people" ended up staunchly defending the case insensitivity of their online banking passwords saying that it was "entirely secure"

I know all about how legacy systems can cause unbelievable password constraints, but I would have thought a bank might have the funds to sort it... After all, it's not like they are that poor.

Cheers - N


I've actually raised the issue with both ASB and Westpac before.  I'm rather pleased to see ASB's response in this thread, since their response at the time was that it's not an issue because "we have 128 bit encrypitation" on the online banking pages, and Westpac responded that it doesn't matter since if anyone does steal my money I'm protected by Online Guardian and their Zero Liability policy (note: I've literally only ONCE been challenged by Online Guardian - it even ignored when I did a bunch of transactions in Australia despite never having left the country in my life!)

bazzer
3438 posts

Uber Geek
+1 received by user: 267

Trusted

  #990947 20-Feb-2014 09:47
Send private message

Kyanar: I've literally only ONCE been challenged by Online Guardian - it even ignored when I did a bunch of transactions in Australia despite never having left the country in my life!

You'll probably find their algorithms are a bit more sophisticated than you think.

kenkeniff
628 posts

Ultimate Geek
+1 received by user: 88


  #990996 20-Feb-2014 11:08
Send private message

kendog: Why do strong passwords matter when you only get four attempts to login before the access is locked?
My password is not strong, but I can't see how my banking is at risk.



I have to agree with 'kendog'; passwords need only be sufficiently entropic to withstand until brute force detection measures kick in (assuming these measures are adequately in place - i.e. unlikely to be guessed in 4 attempts).

Any backend use of these passwords (authentication / encryption) should be restricted to a sufficiently randomly individually salted derivative of the original password (i.e. a HASH).

That being said there's really no reason to limit passwords to the degree imposed by ASB (and apparently most banks) and "Password security is a complex area" is a decidedly non-answer by ASB especially in a technical forum like this with members working for telcos, banks, Govt agencies etc and understanding full well these 'complexities'.

I suspect the answer to be much more mundane along the lines of "that's all the plain-text fixed-length fields in our 50 year old COBOL system can handle"..

Also: +1 to 2FA

kyhwana2
2566 posts

Uber Geek
+1 received by user: 228


  #992041 21-Feb-2014 21:46
Send private message

kenkeniff:
kendog: Why do strong passwords matter when you only get four attempts to login before the access is locked?
My password is not strong, but I can't see how my banking is at risk.



I have to agree with 'kendog'; passwords need only be sufficiently entropic to withstand until brute force detection measures kick in (assuming these measures are adequately in place - i.e. unlikely to be guessed in 4 attempts).

Any backend use of these passwords (authentication / encryption) should be restricted to a sufficiently randomly individually salted derivative of the original password (i.e. a HASH).

I suspect the answer to be much more mundane along the lines of "that's all the plain-text fixed-length fields in our 50 year old COBOL system can handle"..



The issue is if you don't make them complex enough, you end up where people just reuse crap passwords everywhere and the whole storing them in plaintext thing doesn't help this (Or crap passwords like "password1" that are easily cracked if you don't use bcrypt/scrypt/PDKDF2) when sites get their login databases "stolen" and publicly dumped.

kenkeniff
628 posts

Ultimate Geek
+1 received by user: 88


  #992044 21-Feb-2014 21:54
Send private message

kyhwana2: ...
The issue is if you don't make them complex enough, you end up where people just reuse crap passwords everywhere and the whole storing them in plaintext thing doesn't help this


 +1


(Or crap passwords like "password1" that are easily cracked if you don't use bcrypt/scrypt/PDKDF2) when sites get their login databases "stolen" and publicly dumped.


Which is they should be stored as [SALT=HASH(RAND())] AND [HASH(SALT + "password1")]

Tandem
16 posts

Geek
+1 received by user: 1


  #992283 22-Feb-2014 12:32

ASBBank: We currently have a programme underway which will address many of the concerns raised here. At present we don't have concrete delivery timeframes that we can share with you, but we undertake to do this when we are able to. Password security is a complex area, and as it affects nearly all of our customers, we want to make sure when we introduce changes that we get it right ....


Although I do appreciate ASB's reply in this thread, it reads more like a typical PR response trying to downplay the seriousness of the underlaying issue.

Just like kenkeniff suggested it is quite reasonable to believe that the ASB imposed limitation on passwords is based on the incapability of one of their internal systems.

ASB has been aware of this limitation ever since they introduced FastNet and BankDirect in 1997 and there is no excuse for ignoring this for such a long time.

ASBBank: We acknowledge that customers want to be able to use longer passwords and passwords that are case-sensitive. As a few of you have already pointed out, two-factor authentication is available either by SMS or token if you'd prefer an extra layer of security each time you log in ....


This is not just about what kind of password a customer can choose. The fact that ASB limits the length of passwords, which characters it contains and disregards case sensitivity indicates that it's very likely that the passwords are being stored in plain text on the backend.

This has much worse security implications than the complexity of a chosen password.

It is time that the ASB execs take this seriously and let the ASB IT team do their job. Waiting until a serious breach occurs or the media covers this will be more costly than allocating the resources needed to address this.

webwat
2036 posts

Uber Geek
+1 received by user: 145

Trusted

  #992398 22-Feb-2014 16:59
Send private message

nzkc: They're also restricted to 8 characters.  I brought this up with them on Twitter - got nowhere with them.


Apparently that is a limitation of their ancient core banking software as it has evolved over the years, apparently cant be changed without a major system upgrade. Kiwi Bank have announced they plan to fully replace their core banking system, and have sparked comments that its such a massive project it could kill a small bank like them if they get it wrong.

I think when I signed up with ASB the password had to be 8 characters, and could only be numbers or lowercase letters at that time.




Time to find a new industry!

1 | 2 | 3 | 4 | 5 | 6 | 7
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright