Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3
252 posts

Ultimate Geek
+1 received by user: 30


  Reply # 886354 29-Aug-2013 09:53
Send private message

Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.


Is that possible with a bank password? They lock after three failed attempts.
In that scenario, does it matter if the password is short?



2018 posts

Uber Geek
+1 received by user: 1129


  Reply # 886379 29-Aug-2013 10:19
Send private message

kendog:
Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.


Is that possible with a bank password? They lock after three failed attempts.
In that scenario, does it matter if the password is short?


Probably not I suppose.

I'm more worried about how they store it. Yes banks are supposed to be secure, but that doesn't mean they are. Lets say someone manages to get hold of one of these databases, and it turns out the passwords are plain text. They will have a field day.

Yes, there's a guarantee, and so probably no long term loss, but imagine having no access to your money for maybe a week or more while they try to work out what the hell went wrong.




Location: Dunedin

 
 
 
 


2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 886380 29-Aug-2013 10:21
Send private message

kendog:
Inphinity: But, yes, if someone is trying to bruteforce your password, longer is better.


Is that possible with a bank password? They lock after three failed attempts.
In that scenario, does it matter if the password is short?


It depends partly on what the unlock procedure is, and just how short we're talking. Most of the banks seem to require you to contact them to get the account unlocked, which is a great counter to any sort of brute force attack. In a non-banking situation where, say, getting it wrong 3 times is a 5 minute lockout, unless there's a notification to you that it got locked, the attacker could potentially just keep retrying. The lockout in this case would just extend the time required.

Then it depends on how short the password is, and what acceptable characters are. Again, no bank as far as I'm aware would allow it, but if we were talking a 3-digit PIN, for example, and you get locked out after 3 tries, you have a 0.3% (3 guesses out of 1000 combinations) probability of a successful guess in your 3 attempts before the first lockout. With 3 guesses before a 5 minute lockout, you're looking at just under 28 hours even if it is the final possible combination that you get correct. If it were, say, even a 5-digit PIN, that probability would be 0.003% (3 guesses out of 100,000 combinations). Again, with 3 guesses before a 5 minute lockout, you're talking over 115 days, assuming again the final possible combination was the correct one. Of course, there is always the possibility that someone could guess your PIN/Password within those 3 guesses, but it's all about making the probability of that as low as possible.

But, again, if the lockout is more than a basic timer until it unlocks, well, then we only have the 'probability of successful break before lockout' to worry about - but again, a longer password results in more potential combinations, and thus a lower probability of random guess to get it right.

Let's take a simple use example of a bank that allows an 8 character case-insensitive alphanumeric password, and locks you out after 3 incorrect attempts, requiring you to contact the bank to unlock it. There are a bit over 2.8 trillion possible password combinations. That's, uhh... in practical terms, a near-zero probability of guessing it correctly in only 3 attempts. Again, though, with the same criteria except length of 4, there's just under 1.7million combinations - while it's still relatively unlikely to be guessed, it's orders of magnitude greater than the length 8 example.

So, simply, for practical purposes it depends how short, and also whether the attacker is making random guesses, or has some sort of base seed - perhaps they've seen you type it, and know that 3 of the 5 characters are g, y, and 7, but aren't totally sure on the order or what the other 2 characters are.




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 886382 29-Aug-2013 10:28
Send private message

andrewNZ: I'm more worried about how they store it. Yes banks are supposed to be secure, but that doesn't mean they are. Lets say someone manages to get hold of one of these databases, and it turns out the passwords are plain text. They will have a field day.


None of the major banks are storing your password in plain text. I have no idea what smaller, localised banks are around, and what they may be doing. Most of the banks are using a one-way hash. Some may be using reversible encryption.




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 886383 29-Aug-2013 10:33
Send private message

BNZ use two factor as well so length really isn't an issue

It may be the core banking system that requires the limitations



2018 posts

Uber Geek
+1 received by user: 1129


  Reply # 886402 29-Aug-2013 11:06
Send private message

JamesL: BNZ use two factor as well so length really isn't an issue

It may be the core banking system that requires the limitations


I hate BNZ's two factor with a passion (so much so I don't bank with them any more), with their system, the crappy password is still the main security in many situations.
Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card. You're instantly relying on a password between 6 and 8 characters long to protect you.  And you know in that situation, if someone gets in, you're going to have to fight to get the bank to stump up.




Location: Dunedin

2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 886405 29-Aug-2013 11:10
Send private message

andrewNZ: Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card.


Can I suggest not storing information you consider sensitive in plain text in an unsecure location? ;)




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

956 posts

Ultimate Geek
+1 received by user: 346
Inactive user


  Reply # 886407 29-Aug-2013 11:22
Send private message

Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password



2018 posts

Uber Geek
+1 received by user: 1129


  Reply # 886418 29-Aug-2013 11:32
One person supports this post
Send private message

Inphinity:
andrewNZ: Lets say someone swipes your wallet (or even just gets a look inside), in it you have your BNZ card with your access number printed on it, and your Netsafe card.


Can I suggest not storing information you consider sensitive in plain text in an unsecure location? ;)


Don't take all this the wrong way, I'm security conscious, and I'm certainly more technically clued up than the average person. I realise these concerns are bordering on ridiculous, but they are still valid.

I don't consider a wallet secure at all, wallets can get lost or stolen, but I don't know of any other more secure way of transporting my cards. I also don't know any way of encrypting the cards. So I'm down to storing these things on my person in a smallish leather holder, or separating them, and seriously limiting where I'd be able to use this "secure" service. No more internet banking on my personal device when I'm not at home.






Location: Dunedin



2018 posts

Uber Geek
+1 received by user: 1129


  Reply # 886422 29-Aug-2013 11:35
Send private message

JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password


So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it).
And were back to the original problem, a poor password, 6-8 characters in this case.





Location: Dunedin

2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 886443 29-Aug-2013 12:20
Send private message

andrewNZ:Don't take all this the wrong way, I'm security conscious, and I'm certainly more technically clued up than the average person. I realise these concerns are bordering on ridiculous, but they are still valid.

I don't consider a wallet secure at all, wallets can get lost or stolen, but I don't know of any other more secure way of transporting my cards. I also don't know any way of encrypting the cards. So I'm down to storing these things on my person in a smallish leather holder, or separating them, and seriously limiting where I'd be able to use this "secure" service. No more internet banking on my personal device when I'm not at home.




It depends how far you want to go. Personally, I store my netguard content encrypted on my phone, so to get both my access number & netguard card, someone would need to steal my wallet, and my phone, and work out the unlock password for my phone & the decrypt password for my secure storage. Probablity of these events is incredibly low. Even with Mobile Netguard enabled on the app, they'd still have to steal my phone, work out the unlock password for it, and the login password for the bank app. 




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

501 posts

Ultimate Geek
+1 received by user: 109


  Reply # 886472 29-Aug-2013 12:50
Send private message

andrewNZ:
JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password


So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it).
And were back to the original problem, a poor password, 6-8 characters in this case.



BNZ passowrds are case sensitve, can be letters and numbers. 8 characters is going to take a very long time to brute force crack (years?). I am sure you'll notice you're missing wallet and report the cards stolen by then. Plus after 3 incorrect login attempts you get locked out.



2018 posts

Uber Geek
+1 received by user: 1129


  Reply # 886492 29-Aug-2013 13:20
Send private message

throbb:
andrewNZ:
JamesL: Even if that person was silly enough to store their access number and netsafe card in the same place, they still don't have your password


So you either don't carry your Netsafe card, or you don't carry your BNZ eftpos/credit card (because your access number is printed on it).
And were back to the original problem, a poor password, 6-8 characters in this case.



BNZ passowrds are case sensitve, can be letters and numbers. 8 characters is going to take a very long time to brute force crack (years?). I am sure you'll notice you're missing wallet and report the cards stolen by then. Plus after 3 incorrect login attempts you get locked out.


Once again, I do realise these concerns are bordering on ridiculous now.

While I do agree, there are still a few points about that I'd like to make. 
1) Your wallet doesn't have to be missing, someone only needs a copy of the two things, a photo will do. No need to report something stolen if it isn't missing.

2) You still need to memorise a password (unless you're silly enough to write it down), which makes most passwords a lot less complex. Yes there are still a lot of possibilities, but we've already established that bruteforce probably won't work, so we're down to educated guesses, which can be pretty effective if you have time.

3) IIRC the Netguard cards are replaced every 3 months, that's a pretty long time to be able to research or probe someone.




Location: Dunedin



2018 posts

Uber Geek
+1 received by user: 1129


  Reply # 886498 29-Aug-2013 13:27
One person supports this post
Send private message

I think I've managed to untie my bonnet and let the bee out :D




Location: Dunedin

1698 posts

Uber Geek
+1 received by user: 190

Subscriber

  Reply # 886500 29-Aug-2013 13:32
Send private message

andrewNZ: 
We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.


Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is. 


1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.