Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 
2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 886501 29-Aug-2013 13:32
Send private message

andrewNZ:
Once again, I do realise these concerns are bordering on ridiculous now.


There has to be a level of practicality and usability maintained. Nothing is going to be both totally secure and usable by the end user. As above, if you're concerned about someone getting (or even seeing) your access code and netguard card when you open your wallet, don't store both together. Even if they do, they need to know your password, or be able to guess it in <4 attempts. So have a reasonably secure password, and you're about as safe as it is practical to be. If you choose a stupidly obvious password, well, no amount of other precautions are going to save you from yourself ;)




Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark



2019 posts

Uber Geek
+1 received by user: 1131


  Reply # 886506 29-Aug-2013 13:38
Send private message

Goosey:
andrewNZ: 
We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.


Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is. 



Well that's good to know, I'm glad they rectified that.
I'd love to know if there's a limit now.




Location: Dunedin

 
 
 
 


252 posts

Ultimate Geek
+1 received by user: 30


  Reply # 886681 29-Aug-2013 18:36
Send private message

andrewNZ:
Goosey:
andrewNZ: 
We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.


Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is. 



Well that's good to know, I'm glad they rectified that.
I'd love to know if there's a limit now.

I really think you have nothing to worry about using short passwords for banking.
Some simple things will help like mixed case, alpha numerical characters, using the first letters from a phrase, song or saying rather than an actual word. I use all the above and would be amazed if anyone could guess my 6 character password in three tries.

One final tip, make your banking password unique. As in don't use it for any other sites or work.



2019 posts

Uber Geek
+1 received by user: 1131


  Reply # 886704 29-Aug-2013 19:15
Send private message

kendog:
andrewNZ:
Goosey:
andrewNZ:
We were with BNZ for a short time, and it wound me up that my least secure password was longer than their stupid 8 character limit.


Not sure when you were with BNZ, but Ive been using their online banking system for about a year now and my password is 12chars long. I dont know what the limit is.



Well that's good to know, I'm glad they rectified that.
I'd love to know if there's a limit now.

I really think you have nothing to worry about using short passwords for banking.
Some simple things will help like mixed case, alpha numerical characters, using the first letters from a phrase, song or saying rather than an actual word. I use all the above and would be amazed if anyone could guess my 6 character password in three tries.

One final tip, make your banking password unique. As in don't use it for any other sites or work.

I don't know quite how to convey my level of ability, let's for the moment just assume I'm pretty bloody clever ;), and I'm not offended in any way.

I'm more than familiar with password creation strength and best practice from a user side. I don't fully understand best practice for password handling from a providers point of view.

I also really don't get the whole "it's a bank, it'll be fine" attitude. Assuming something is OK just because it should be is not the way to look at things, it's dangerous, and it'll get you in the poo real fast.
I agree, it probably will be fine, but we should still be questioning things that look questionable. 
It seems there are systems getting compromised every other week, and several high profile ones have been caught with plain text passwords in the database. You'd think it'd be a lesson to the rest, but the stories just keep coming. I fully expect to see a story about a big bank being caught doing the same thing. A system is only as good as the people who implemented it.

Really, I just don't think I should have to come up with a short password (which goes against everything I believe), just because the bank can't be arsed letting me use a longer one. If I want to type a novel, that should be up to me.




Location: Dunedin

1701 posts

Uber Geek
+1 received by user: 191

Subscriber

  Reply # 886723 29-Aug-2013 19:59
Send private message

Most banks are quite clear and public about how they implement security (obviously not in detail) but they like to say they have 'this and that'. Why dont you ask your bank or checkout their website etc.
Remember there is also onus on you to comply with your own security including protecting yourself against all types of virus and spying methods. The old saying 'clear your browser history and clean up the cookies etc'.


2527 posts

Uber Geek
+1 received by user: 939

Subscriber

  Reply # 886729 29-Aug-2013 20:11
Send private message

andrewNZ:
I also really don't get the whole "it's a bank, it'll be fine" attitude.


It's not a "They're a bank, it'll be fine" approach, it's a "They're a bank, which means there are regulations and requirements around security that they have to meet, and most are regularly audited on, especially if they're a member of the NZ Bankers Association", and having been involved with several of them during credit fraud investigations, I am confident that most of the major banks data security is kept to a high standard. It's also one of the industries that is most reliant on legacy internal systems still, due to the upheaval that upgrades and replacements of some systems entails, and I suspect this is a reason for password restrictions in many cases. Sure, it'd be nice to allow more flexibility on their passwords, but I have more confidence in the security of my banking login, than practically any other online credentials I use, due to the relatively random login name, password, and 2-factor auth for most loss-risk transactions.






Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark



2019 posts

Uber Geek
+1 received by user: 1131


  Reply # 886731 29-Aug-2013 20:22
One person supports this post
Send private message

Inphinity: having been involved with several of them during credit fraud investigations, I am confident that most of the major banks data security is kept to a high standard.


Now that makes me feel a lot better. Thanks.




Location: Dunedin

252 posts

Ultimate Geek
+1 received by user: 30


  Reply # 886953 30-Aug-2013 10:38
Send private message

No offence intended andrewNZ.
I was just throwing out some tips for anyone viewing this thread.

I have worked for one of the big banks for 20+ years, 10 years in IT and the last 6 in online banking.

If all the banks follow our checks, controls and processes there is nothing to worry about. Online banking security is a very serious topic, given the transaction volumes.

My personal opinion, the need to increase password length and complexity is related to the surrounding controls applied at login and transaction completion.

983 posts

Ultimate Geek
+1 received by user: 202


  Reply # 1303154 12-May-2015 20:55
Send private message

2 years on and you still can't have a password longer than 8 characters, seriously what is up with that?

Really frustrating as I would like to changed my password to a more secure one.




Help me by buying one of my classifieds so I can become a Geekzone Supporter.


252 posts

Ultimate Geek
+1 received by user: 30


  Reply # 1304835 13-May-2015 21:43
Send private message

lNomNoml: 2 years on and you still can't have a password longer than 8 characters, seriously what is up with that?

Really frustrating as I would like to changed my password to a more secure one.

For what reason do you want a longer password? It is no safer for banking.

2284 posts

Uber Geek
+1 received by user: 375

Trusted
Subscriber

  Reply # 1304839 13-May-2015 22:00
One person supports this post
Send private message

I questioned ASB on this a year or so ago and their view was that 8 non-case sensitive character passwords were enough due to users usernames/access codes being set by the user. So unless you have your username/access code written in your wallet and can't think of something creative under 8 characters they are probably correct in that it's still fairly secure.

Obviously not secure enough for business banking though as those passwords can be longer and are case sensitive.... go figure.


252 posts

Ultimate Geek
+1 received by user: 30


  Reply # 1304890 14-May-2015 08:30
Send private message

insane: I questioned ASB on this a year or so ago and their view was that 8 non-case sensitive character passwords were enough due to users usernames/access codes being set by the user. So unless you have your username/access code written in your wallet and can't think of something creative under 8 characters they are probably correct in that it's still fairly secure.

Obviously not secure enough for business banking though as those passwords can be longer and are case sensitive.... go figure.


Some businesses have their own policies around password requirements, so the banks may provide additional capability to meet these policies.
As long as the bank blocks access after 'x' failed attempts, it doesn't matter how long or strong the password is.



2019 posts

Uber Geek
+1 received by user: 1131


  Reply # 1305366 14-May-2015 19:08
Send private message

I'd totally forgotten about this conversation.

I realise that it isn't a security risk as such. But I do think it's totally ridiculous to restrict people to such short passwords. As I think I've already stated, the shortest password I use for low security purposes is longer than 8 characters, and if you knew it, you'd agree it is pretty basic.




Location: Dunedin

mdf

2030 posts

Uber Geek
+1 received by user: 599

Trusted
Subscriber

  Reply # 1305407 14-May-2015 19:54
Send private message

Some fabulous arstechnica and wired articles on this subject:

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/1/

http://www.wired.co.uk/news/archive/2013-05/28/password-cracking/viewall

The usual way of calculating password strength is basically down to it's length and the types of characters used. This is true if you assume your hacker is going to apply a brute force attack for everything from "aaaaaaa" through "aaaaaz" and so on. But in actual fact, hackers apply a variety of "password recovery tools" with pattern recognition, dictionary list and password list algorithms to massively shorten the time taken.

Essentially, the *only* secure password is a genuinely random combination of letters, numbers and symbols, not using c0mm0n subst1tut10n5. Keyboard walks and any other kind of patterns are out. Even the xkcd battery horse staple thing can be relatively easily cracked using combinator attacks.

In practice, this means you need to use either a password manager or a really good mnemonic. And throw some random characters into the mnemonic just to be safe.

21617 posts

Uber Geek
+1 received by user: 4432

Trusted
Subscriber

  Reply # 1305462 14-May-2015 20:51
Send private message

Or be content in that they only get 3 or so guesses before it stops working for a period of time, or in some cases till you call them so that brute forcing the web facing login page isnt going to happen.

If you have the same password as your hobby forum and your login to your unsecured webmail then you are screwed no matter how long the password is.

If the bank gets taken and the passwords swiped off it, then who really cares that yours may crack a little quicker than others, because that becomes well and truly the banks issue.




Richard rich.ms

1 | 2 | 3 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.