Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
263 posts

Ultimate Geek
+1 received by user: 30


  Reply # 886354 29-Aug-2013 09:53
Send private message

Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.


Is that possible with a bank password? They lock after three failed attempts.
In that scenario, does it matter if the password is short?



2086 posts

Uber Geek
+1 received by user: 1173


  Reply # 886379 29-Aug-2013 10:19
Send private message

kendog:
Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.


Is that possible with a bank password? They lock after three failed attempts.
In that scenario, does it matter if the password is short?


Probably not I suppose.

I'm more worried about how they store it. Yes banks are supposed to be secure, but that doesn't mean they are. Lets say someone manages to get hold of one of these databases, and it turns out the passwords are plain text. They will have a field day.

Yes, there's a guarantee, and so probably no long term loss, but imagine having no access to your money for maybe a week or more while they try to work out what the hell went wrong.




Location: Dunedin

 
 
 
 


2532 posts

Uber Geek
+1 received by user: 940

Subscriber

  Reply # 886380 29-Aug-2013 10:21
Send private message

kendog:
Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.


Is that possible with a bank password? They lock after three failed attempts.
In that scenario, does it matter if the password is short?


It depends partly on what the unlock procedure is, and just how short we're talking. Most of the banks seem to require you to contact them to get the account unlocked, which is a great counter to any sort of brute force attack. In a non-banking situation where, say, getting it wrong 3 times is a 5 minute lockout, unless there's a notification to you that it got locked, the attacker could potentially just keep retrying. The lockout in this case would just extend the time required.

Then it depends on how short the password is, and what acceptable characters are. Again, no bank as far as I'm aware would allow it, but if we were talking a 3-digit PIN, for example, and you get locked out after 3 tries, you have a 0.3% (3 guesses out of 1000 combinations) probability of a successful guess in your 3 attempts before the first lockout. With 3 guesses before a 5 minute lockout, you're looking at just under 28 hours even if it is the final possible combination that you get correct. If it were, say, even a 5-digit PIN, that probability would be 0.003% (3 guesses out of 100,000 combinations). Again, with 3 guesses before a 5 minute lockout, you're talking over 115 days, assuming again the final possible combination was the correct one. Of course, there is always the possibility that someone could guess your PIN/Password within those 3 guesses, but it's all about making the probability of that as low as possible.

But, again, if the lockout is more than a basic timer until it unlocks, well, then we only have the 'probability of successful break before lockout' to worry about - but again, a longer password results in more potential combinations, and thus a lower probability of random guess to get it right.

Let's take a simple use example of a bank that allows an 8 character case-insensitive alphanumeric password, and locks you out after 3 incorrect attempts, requiring you to contact the bank to unlock it. There are a bit over 2.8 trillion possible password combinations. That's, uhh... in practical terms, a near-zero probability of guessing it correctly in only 3 attempts. Again, though, with the same criteria except length of 4, there's just under 1.7million combinations - while it's still relatively unlikely to be guessed, it's orders of magnitude greater than the length 8 example.

So, simply, for practical purposes it depends how short, and also whether the attacker is making random guesses, or has some sort of base seed - perhaps they've seen you type it, and know that 3 of the 5 characters are g, y, and 7, but aren't totally sure on the order or what the other 2 characters are.

2532 posts

Uber Geek
+1 received by user: 940

Subscriber

  Reply # 886382 29-Aug-2013 10:28
Send private message

andrewNZ: I'm more worried about how they store it. Yes banks are supposed to be secure, but that doesn't mean they are. Lets say someone manages to get hold of one of these databases, and it turns out the passwords are plain text. They will have a field day.


None of the major banks are storing your password in plain text. I have no idea what smaller, localised banks are around, and what they may be doing. Most of the banks are using a one-way hash. Some may be using reversible encryption.

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 886383 29-Aug-2013 10:33
Send private message

BNZ use two factor as well so length really isn't an issue

It may be the core banking system that requires the limitations



2086 posts

Uber Geek
+1 received by user: 1173


  Reply # 886402 29-Aug-2013 11:06
Send private message

JamesL: BNZ use two factor as well so length really isn't an issue

It may be the core banking system that requires the limitations


I hate BNZ's two factor with a passion (so much so I don't bank with them any more), with their system, the crappy password is still the main security in many situations.
Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card. You're instantly relying on a password between 6 and 8 characters long to protect you.  And you know in that situation, if someone gets in, you're going to have to fight to get the bank to stump up.




Location: Dunedin

2532 posts

Uber Geek
+1 received by user: 940

Subscriber

  Reply # 886405 29-Aug-2013 11:10
Send private message

andrewNZ: Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card.


Can I suggest not storing information you consider sensitive in plain text in an unsecure location? ;)

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 886407 29-Aug-2013 11:22
Send private message

Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password



2086 posts

Uber Geek
+1 received by user: 1173


  Reply # 886418 29-Aug-2013 11:32
One person supports this post
Send private message

Inphinity:
andrewNZ: Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card.


Can I suggest not storing information you consider sensitive in plain text in an unsecure location? ;)


Don't take all this the wrong way, I'm security conscious, and I'm certainly more technically clued up than the average person. I realise these concerns are bordering on ridiculous, but they are still valid.

I don't consider a wallet secure at all, wallets can get lost or stolen, but I don't know of any other more secure way of transporting my cards. I also don't know any way of encrypting the cards. So I'm down to storing these things on my person in a smallish leather holder, or separating them, and seriously limiting where I'd be able to use this "secure" service. No more internet banking on my personal device when I'm not at home.






Location: Dunedin



2086 posts

Uber Geek
+1 received by user: 1173


  Reply # 886422 29-Aug-2013 11:35
Send private message

JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password


So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it).
And were back to the original problem, a poor password, 6-8 characters in this case.





Location: Dunedin

2532 posts

Uber Geek
+1 received by user: 940

Subscriber

  Reply # 886443 29-Aug-2013 12:20
Send private message

andrewNZ:Don't take all this the wrong way, I'm security conscious, and I'm certainly more technically clued up than the average person. I realise these concerns are bordering on ridiculous, but they are still valid.

I don't consider a wallet secure at all, wallets can get lost or stolen, but I don't know of any other more secure way of transporting my cards. I also don't know any way of encrypting the cards. So I'm down to storing these things on my person in a smallish leather holder, or separating them, and seriously limiting where I'd be able to use this "secure" service. No more internet banking on my personal device when I'm not at home.




It depends how far you want to go. Personally, I store my netguard content encrypted on my phone, so to get both my access number & netguard card, someone would need to steal my wallet, and my phone, and work out the unlock password for my phone & the decrypt password for my secure storage. Probablity of these events is incredibly low. Even with Mobile Netguard enabled on the app, they'd still have to steal my phone, work out the unlock password for it, and the login password for the bank app. 

514 posts

Ultimate Geek
+1 received by user: 111


  Reply # 886472 29-Aug-2013 12:50
Send private message

andrewNZ:
JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password


So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it).
And were back to the original problem, a poor password, 6-8 characters in this case.



BNZ passowrds are case sensitve, can be letters and numbers. 8 characters is going to take a very long time to brute force crack (years?). I am sure you'll notice you're missing wallet and report the cards stolen by then. Plus after 3 incorrect login attempts you get locked out.



2086 posts

Uber Geek
+1 received by user: 1173


  Reply # 886492 29-Aug-2013 13:20
Send private message

throbb:
andrewNZ:
JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password


So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it).
And were back to the original problem, a poor password, 6-8 characters in this case.



BNZ passowrds are case sensitve, can be letters and numbers. 8 characters is going to take a very long time to brute force crack (years?). I am sure you'll notice you're missing wallet and report the cards stolen by then. Plus after 3 incorrect login attempts you get locked out.


Once again, I do realise these concerns are bordering on ridiculous now.

While I do agree, there are still a few points about that I'd like to make. 
1) Your wallet doesn't have to be missing, someone only needs a copy of the two things, a photo will do. No need to report something stolen if it isn't missing.

2) You still need to memorise a password (unless you're silly enough to write it down), which makes most passwords a lot less complex. Yes there are still a lot of possibilities, but we've already established that bruteforce probably won't work, so we're down to educated guesses, which can be pretty effective if you have time.

3) IIRC the Netguard cards are replaced every 3 months, that's a pretty long time to be able to research or probe someone.




Location: Dunedin



2086 posts

Uber Geek
+1 received by user: 1173


  Reply # 886498 29-Aug-2013 13:27
One person supports this post
Send private message

I think I've managed to untie my bonnet and let the bee out :D




Location: Dunedin

1755 posts

Uber Geek
+1 received by user: 216

Subscriber

  Reply # 886500 29-Aug-2013 13:32
Send private message

andrewNZ: 
We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.


Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is. 


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic


Donate via Givealittle


Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Amazon introduces new Kindle with adjustable front light
Posted 21-Mar-2019 20:14


A call from the companies providing internet access for the great majority of New Zealanders, to the companies with the greatest influence over social media content
Posted 19-Mar-2019 15:21


Two e-scooter companies selected for Wellington trial
Posted 15-Mar-2019 17:33


GeForce GTX 1660 available now
Posted 15-Mar-2019 08:47


Artificial Intelligence to double the rate of innovation in New Zealand by 2021
Posted 13-Mar-2019 14:47


LG demonstrates smart home concepts at LG InnoFest
Posted 13-Mar-2019 14:45


New Zealanders buying more expensive smartphones
Posted 11-Mar-2019 09:52


2degrees Offers Amazon Prime Video to Broadband Customers
Posted 8-Mar-2019 14:10


D-Link ANZ launches D-Fend AC2600 Wi-Fi Router Protected by McAfee
Posted 7-Mar-2019 11:09


Slingshot commissions celebrities to design new modems
Posted 5-Mar-2019 08:58


Symantec Annual Threat Report reveals more ambitious, destructive and stealthy attacks
Posted 28-Feb-2019 10:14


FUJIFILM launches high performing X-T30
Posted 28-Feb-2019 09:40


Netflix is killing content piracy says research
Posted 28-Feb-2019 09:33


Trend Micro finds shifting threats require kiwis to rethink security priorities
Posted 28-Feb-2019 09:27


Mainfreight uses Spark IoT Asset Tracking service
Posted 28-Feb-2019 09:25



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.