Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor. If investing please consider our affiliate links for new accounts: Sharesies or Hatch. To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification



View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
kendog
321 posts

Ultimate Geek


  #886354 29-Aug-2013 09:53
Send private message

Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.


Is that possible with a bank password? They lock after three failed attempts.
In that scenario, does it matter if the password is short?

Affiliate link
 
 
 

Affiliate link: Buy anything now at AliExpress.
andrewNZ

2487 posts

Uber Geek
Inactive user


  #886379 29-Aug-2013 10:19
Send private message

kendog:
Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.


Is that possible with a bank password? They lock after three failed attempts.
In that scenario, does it matter if the password is short?


Probably not I suppose.

I'm more worried about how they store it. Yes banks are supposed to be secure, but that doesn't mean they are. Lets say someone manages to get hold of one of these databases, and it turns out the passwords are plain text. They will have a field day.

Yes, there's a guarantee, and so probably no long term loss, but imagine having no access to your money for maybe a week or more while they try to work out what the hell went wrong.

Inphinity
2704 posts

Uber Geek

Subscriber

  #886380 29-Aug-2013 10:21
Send private message

kendog:
Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.


Is that possible with a bank password? They lock after three failed attempts.
In that scenario, does it matter if the password is short?


It depends partly on what the unlock procedure is, and just how short we're talking. Most of the banks seem to require you to contact them to get the account unlocked, which is a great counter to any sort of brute force attack. In a non-banking situation where, say, getting it wrong 3 times is a 5 minute lockout, unless there's a notification to you that it got locked, the attacker could potentially just keep retrying. The lockout in this case would just extend the time required.

Then it depends on how short the password is, and what acceptable characters are. Again, no bank as far as I'm aware would allow it, but if we were talking a 3-digit PIN, for example, and you get locked out after 3 tries, you have a 0.3% (3 guesses out of 1000 combinations) probability of a successful guess in your 3 attempts before the first lockout. With 3 guesses before a 5 minute lockout, you're looking at just under 28 hours even if it is the final possible combination that you get correct. If it were, say, even a 5-digit PIN, that probability would be 0.003% (3 guesses out of 100,000 combinations). Again, with 3 guesses before a 5 minute lockout, you're talking over 115 days, assuming again the final possible combination was the correct one. Of course, there is always the possibility that someone could guess your PIN/Password within those 3 guesses, but it's all about making the probability of that as low as possible.

But, again, if the lockout is more than a basic timer until it unlocks, well, then we only have the 'probability of successful break before lockout' to worry about - but again, a longer password results in more potential combinations, and thus a lower probability of random guess to get it right.

Let's take a simple use example of a bank that allows an 8 character case-insensitive alphanumeric password, and locks you out after 3 incorrect attempts, requiring you to contact the bank to unlock it. There are a bit over 2.8 trillion possible password combinations. That's, uhh... in practical terms, a near-zero probability of guessing it correctly in only 3 attempts. Again, though, with the same criteria except length of 4, there's just under 1.7million combinations - while it's still relatively unlikely to be guessed, it's orders of magnitude greater than the length 8 example.

So, simply, for practical purposes it depends how short, and also whether the attacker is making random guesses, or has some sort of base seed - perhaps they've seen you type it, and know that 3 of the 5 characters are g, y, and 7, but aren't totally sure on the order or what the other 2 characters are.



Inphinity
2704 posts

Uber Geek

Subscriber

  #886382 29-Aug-2013 10:28
Send private message

andrewNZ: I'm more worried about how they store it. Yes banks are supposed to be secure, but that doesn't mean they are. Lets say someone manages to get hold of one of these databases, and it turns out the passwords are plain text. They will have a field day.


None of the major banks are storing your password in plain text. I have no idea what smaller, localised banks are around, and what they may be doing. Most of the banks are using a one-way hash. Some may be using reversible encryption.

JamesL
956 posts

Ultimate Geek
Inactive user


  #886383 29-Aug-2013 10:33
Send private message

BNZ use two factor as well so length really isn't an issue

It may be the core banking system that requires the limitations

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886402 29-Aug-2013 11:06
Send private message

JamesL: BNZ use two factor as well so length really isn't an issue

It may be the core banking system that requires the limitations


I hate BNZ's two factor with a passion (so much so I don't bank with them any more), with their system, the crappy password is still the main security in many situations.
Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card. You're instantly relying on a password between 6 and 8 characters long to protect you.  And you know in that situation, if someone gets in, you're going to have to fight to get the bank to stump up.

Inphinity
2704 posts

Uber Geek

Subscriber

  #886405 29-Aug-2013 11:10
Send private message

andrewNZ: Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card.


Can I suggest not storing information you consider sensitive in plain text in an unsecure location? ;)



JamesL
956 posts

Ultimate Geek
Inactive user


  #886407 29-Aug-2013 11:22
Send private message

Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886418 29-Aug-2013 11:32
Send private message

Inphinity:
andrewNZ: Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card.


Can I suggest not storing information you consider sensitive in plain text in an unsecure location? ;)


Don't take all this the wrong way, I'm security conscious, and I'm certainly more technically clued up than the average person. I realise these concerns are bordering on ridiculous, but they are still valid.

I don't consider a wallet secure at all, wallets can get lost or stolen, but I don't know of any other more secure way of transporting my cards. I also don't know any way of encrypting the cards. So I'm down to storing these things on my person in a smallish leather holder, or separating them, and seriously limiting where I'd be able to use this "secure" service. No more internet banking on my personal device when I'm not at home.



andrewNZ

2487 posts

Uber Geek
Inactive user


  #886422 29-Aug-2013 11:35
Send private message

JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password


So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it).
And were back to the original problem, a poor password, 6-8 characters in this case.


Inphinity
2704 posts

Uber Geek

Subscriber

  #886443 29-Aug-2013 12:20
Send private message

andrewNZ:Don't take all this the wrong way, I'm security conscious, and I'm certainly more technically clued up than the average person. I realise these concerns are bordering on ridiculous, but they are still valid.

I don't consider a wallet secure at all, wallets can get lost or stolen, but I don't know of any other more secure way of transporting my cards. I also don't know any way of encrypting the cards. So I'm down to storing these things on my person in a smallish leather holder, or separating them, and seriously limiting where I'd be able to use this "secure" service. No more internet banking on my personal device when I'm not at home.




It depends how far you want to go. Personally, I store my netguard content encrypted on my phone, so to get both my access number & netguard card, someone would need to steal my wallet, and my phone, and work out the unlock password for my phone & the decrypt password for my secure storage. Probablity of these events is incredibly low. Even with Mobile Netguard enabled on the app, they'd still have to steal my phone, work out the unlock password for it, and the login password for the bank app. 

throbb
659 posts

Ultimate Geek


  #886472 29-Aug-2013 12:50
Send private message

andrewNZ:
JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password


So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it).
And were back to the original problem, a poor password, 6-8 characters in this case.



BNZ passowrds are case sensitve, can be letters and numbers. 8 characters is going to take a very long time to brute force crack (years?). I am sure you'll notice you're missing wallet and report the cards stolen by then. Plus after 3 incorrect login attempts you get locked out.

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886492 29-Aug-2013 13:20
Send private message

throbb:
andrewNZ:
JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password


So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it).
And were back to the original problem, a poor password, 6-8 characters in this case.



BNZ passowrds are case sensitve, can be letters and numbers. 8 characters is going to take a very long time to brute force crack (years?). I am sure you'll notice you're missing wallet and report the cards stolen by then. Plus after 3 incorrect login attempts you get locked out.


Once again, I do realise these concerns are bordering on ridiculous now.

While I do agree, there are still a few points about that I'd like to make. 
1) Your wallet doesn't have to be missing, someone only needs a copy of the two things, a photo will do. No need to report something stolen if it isn't missing.

2) You still need to memorise a password (unless you're silly enough to write it down), which makes most passwords a lot less complex. Yes there are still a lot of possibilities, but we've already established that bruteforce probably won't work, so we're down to educated guesses, which can be pretty effective if you have time.

3) IIRC the Netguard cards are replaced every 3 months, that's a pretty long time to be able to research or probe someone.

andrewNZ

2487 posts

Uber Geek
Inactive user


  #886498 29-Aug-2013 13:27
Send private message

I think I've managed to untie my bonnet and let the bee out :D

Goosey
2194 posts

Uber Geek


  #886500 29-Aug-2013 13:32
Send private message

andrewNZ: 
We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.


Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is. 


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Belkin Screenforce Tempered Glass Screen Protector and Bumper - Apple Watch
Posted 15-Aug-2022 17:20


Samsung Introducing Galaxy Z Flip4 and Galaxy Z Fold4
Posted 11-Aug-2022 01:00


Samsung Unveils Health Innovations with Galaxy Watch5 and Galaxy Watch5 Pro
Posted 11-Aug-2022 01:00


Google Bringing First Cloud Region to Aotearoa New Zealand
Posted 10-Aug-2022 08:51


ANZ To Move to FIS Modern Banking Platform
Posted 10-Aug-2022 08:28


GoPro Hero10 Black Review
Posted 8-Aug-2022 17:41


Amazon to Acquire iRobot
Posted 6-Aug-2022 11:41


Samsung x LIFE Picture Collection Brings Iconic Moments in History to The Frame
Posted 4-Aug-2022 17:04


Norton Consumer Cyber Safety Pulse Report: Phishing for New Bait on Social Media
Posted 4-Aug-2022 16:50


Microsoft Announces New Solutions for Threat Intelligence and Attack Surface Management
Posted 3-Aug-2022 21:54


Seagate Addresses Hyperscale Workloads with Enterprise-Class Nytro SSDs
Posted 3-Aug-2022 21:50


Visa Launching Eco-friendly Payment Solutions in New Zealand
Posted 3-Aug-2022 21:48


NCR Delivers Services to Run Bank of New Zealand ATM Network
Posted 30-Jul-2022 11:06


New HP Portfolio Supports New Era of Hybrid Work
Posted 28-Jul-2022 17:14


Harman Kardon Launches Citation MultiBeam 1100 Soundbar
Posted 28-Jul-2022 17:10









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







GoodSync is the easiest file sync and backup for Windows and Mac