Westpac case sensitive passwwords

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Westpac case sensitive passwwords

JonnyCam

643 posts

Ultimate Geek

ID Verified

#279633 29-Oct-2020 11:02

I've asked Westpac a few times in the the last few years (since early 2018 when they launched Westpac One) why they don't have case sensitive passwords on their online banking.

They've responded in the past that increasing complexity just makes people write the password down, so it's less secure.

Pointed out that their own security guidance on the site said to use a mix of upper & lower for a strong password. - To fix this anomaly, they removed that guidance :)

I was talking to them about something else - asking if they would consider their Online Guard OTP codes could be generated in the Westpac One app (fingerprint protected) instead of insecure SMS codes.

Again, I brought the password issue, then asked if their staff need to use a strong password to login, and if so - why their customers don't get the same courtesy (I'm also not sure what the impact on their PCI compliance would be with me accessing their systems with a case insensitive password)

They have confirmed as of today, passwords are case sensitive. I've tested mine, but being cynical can someone else try their in the wrong case and see that it fails?

Yogi02

238 posts

Master Geek

#2593152 29-Oct-2020 11:11

Mines case sensitive - failed using wrong case.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2593159 29-Oct-2020 11:21

How could case insensitive password even work? For security passwords should be salted and hashed with the resulting hash stored, logins hash the password sent in to see if the user gets access. Case insensitive implies they used to store the password, or do something else tricky to work around the hash thing.

BlinkyBill

1443 posts

Uber Geek
Inactive user

#2593163 29-Oct-2020 11:31

Why is hashing/salting passwords more secure compared to using a complex password generated by a tool like 1Password? Aren’t there de-hashing algo’s out there?

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2593164 29-Oct-2020 11:33

BlinkyBill:

Why is hashing/salting passwords more secure compared to using a complex password generated by a tool like 1Password? Aren’t there de-hashing algo’s out there?

If a company hashes and salts a password then stores the result they are effectively not holding a user password, and therefore they cannot leak it. Read up on SHA256 - a hash is a one way mathematical function.

JonnyCam

643 posts

Ultimate Geek

ID Verified

#2593165 29-Oct-2020 11:35

timmmay:

How could case insensitive password even work? For security passwords should be salted and hashed with the resulting hash stored, logins hash the password sent in to see if the user gets access. Case insensitive implies they used to store the password, or do something else tricky to work around the hash thing.

To be honest, I hadn't even thought of that part. I didn't have to save my password again, so they didn't remove case when I last changed it. What are the other tricks (except store multiple versions of a hashed password in different case combos)

darthkram

59 posts

Master Geek

#2593167 29-Oct-2020 11:36

timmmay:

How could case insensitive password even work? For security passwords should be salted and hashed with the resulting hash stored, logins hash the password sent in to see if the user gets access. Case insensitive implies they used to store the password, or do something else tricky to work around the hash thing.

The way to do this would be to convert the password to lower (or upper) case before it is hashed/salted. This way you can get around needing to store multiple versions/the password in plaintext.

When a user logs in, before checking against the stored hash just do the same operation on what the user typed in.

duckDecoy

896 posts

Ultimate Geek

Subscriber

#2593175 29-Oct-2020 11:54

timmmay:

BlinkyBill:

Why is hashing/salting passwords more secure compared to using a complex password generated by a tool like 1Password? Aren’t there de-hashing algo’s out there?

If a company hashes and salts a password then stores the result they are effectively not holding a user password, and therefore they cannot leak it. Read up on SHA256 - a hash is a one way mathematical function.

This.

Hashes used for password purposes are one way, you put text in one end and out the other end comes gibberish. If you put the same text in it always generates the same gibberish. But you cannot reverse it, you cannot take the gibberish and reverse it into the password.

So the user enters their password, its hashed into gibberish, and that gibbersh is checked against the gibberish saved in the password database to see if the user has entered the correct password. If the company loses control of the password database all the hackers get is gibberish, which isn't much help.

There are even better options, like SQRL. In this case the server doesn't even store ANY secrets (password, username etc) so there is absolutely nothing to steal. Private and public key checking prove to the server that it is in fact you trying to log in, and it lets you in. Its bloody genius. If anyone is interested in secure logins to sites I highly recommend taking a look: https://www.grc.com/sqrl/sqrl.htm

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

timmmay

20574 posts

Uber Geek

Trusted

Lifetime subscriber

#2593184 29-Oct-2020 12:04

darthkram:

timmmay:

How could case insensitive password even work? For security passwords should be salted and hashed with the resulting hash stored, logins hash the password sent in to see if the user gets access. Case insensitive implies they used to store the password, or do something else tricky to work around the hash thing.

The way to do this would be to convert the password to lower (or upper) case before it is hashed/salted. This way you can get around needing to store multiple versions/the password in plaintext.

When a user logs in, before checking against the stored hash just do the same operation on what the user typed in.

Yeah, duh, that makes sense.

BlinkyBill

1443 posts

Uber Geek
Inactive user

#2593190 29-Oct-2020 12:18

duckDecoy:

...

Hashes used for password purposes are one way, you put text in one end and out the other end comes gibberish. If you put the same text in it always generates the same gibberish. But you cannot reverse it, you cannot take the gibberish and reverse it into the password.

...

I’m with you, but I had understood you *could* reverse-engineer a hashed password. It’s a brute-force approach and takes time, and some hashing algo’s take a lot longer than others, but it is doable?

duckDecoy

896 posts

Ultimate Geek

Subscriber

#2593236 29-Oct-2020 12:37

BlinkyBill:

duckDecoy:

...

Hashes used for password purposes are one way, you put text in one end and out the other end comes gibberish. If you put the same text in it always generates the same gibberish. But you cannot reverse it, you cannot take the gibberish and reverse it into the password.

...

I’m with you, but I had understood you *could* reverse-engineer a hashed password. It’s a brute-force approach and takes time, and some hashing algo’s take a lot longer than others, but it is doable?

I'm not sure you could reverse-engineer it per se. Hashes are one-way functions, they cannot be made to work in reverse.

What you can do is try all possible INPUTS (passwords) and see if you generate one of the hashed outputs. If you get a match then you know the password (input) for that hashed output. Theoretically you could create a huge table of all the input and output combinations, and if you steal a hash password database then you can look up the hash output to find the corresponding input (password). But (a) they would be seriously(!) huge and take a long time to compute, and (b) sites often "salt" the inputs with some random additional stuff which means anyone who precomputed the input-output hashes using the known hash algorithm is out of luck because the didn't know to make this adjustment.

EDIT: clarity

JonnyCam

643 posts

Ultimate Geek

ID Verified

#2593269 29-Oct-2020 13:37

duckDecoy:

I'm not sure you could reverse-engineer it per se. Hashes are one-way functions, they cannot be made to work in reverse.

What you can do is try all possible INPUTS (passwords) and see if you generate one of the hashed outputs. If you get a match then you know the password (input) for that hashed output. Theoretically you could create a huge table of all the input and output combinations, and if you steal a hash password database then you can look up the hash output to find the corresponding input (password). But (a) they would be seriously(!) huge and take a long time to compute, and (b) sites often "salt" the inputs with some random additional stuff which means anyone who precomputed the input-output hashes using the known hash algorithm is out of luck because the didn't know to make this adjustment.

EDIT: clarity

I remembered seeing this video a while back, and it was interesting (as are a lot of the videos in the channel) - it deals with breaking hashed passwords. (weak ones maybe)

Every time i tried to paste the link I got a captcha, then a 403 after trying to find all the boats & bikes :)

so, the video link is on youtube query string: watch?v=7U-RbOKanYs

Cheers

Thanks

Lightbulb

116 posts

Master Geek

ID Verified

Lifetime subscriber

#2593279 29-Oct-2020 13:43

My current password was created with a mix of upper and lower cases. But I soon realised that I didn’t need to use any upper cases to login. So have only been using lower case to login. Now I can’t remember which parts of my password are upper case and lower case

So need to reset my password!!

JonnyCam

643 posts

Ultimate Geek

ID Verified

#2593280 29-Oct-2020 13:44

Lightbulb:

My current password was created with a mix of upper and lower cases. But I soon realised that I didn’t need to use any upper cases to login. So have only been using lower case to login. Now I can’t remember which parts of my password are upper case and lower case

So need to reset my password!!

Sorry :)

JoshWright

398 posts

Ultimate Geek

ID Verified

Trusted

#2593713 29-Oct-2020 23:25

I've just tested this on the Westpac One web app and it does appear to be case sensitive for me.

On a related note, it pains me immensely that there's no option to force 2FA on all logins.

I would love to be able to use a non SMS authenticator for every login, but there's no such option.

Aaron2222

216 posts

Master Geek

#2595697 31-Oct-2020 22:14

Lightbulb:

My current password was created with a mix of upper and lower cases. But I soon realised that I didn’t need to use any upper cases to login. So have only been using lower case to login. Now I can’t remember which parts of my password are upper case and lower case

So need to reset my password!!

If they just upper or lower cased the password before hashing, then they wouldn't be able to switch to case sensitive passwords while keeping the original case without having kept a hash of the original password.