Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6 | 7
274 posts

Ultimate Geek


  # 989098 17-Feb-2014 18:38
Send private message

Why do strong passwords matter when you only get four attempts to login before the access is locked?
My password is not strong, but I can't see how my banking is at risk.

22336 posts

Uber Geek

Trusted
Subscriber

  # 989264 17-Feb-2014 22:02
Send private message

Also the support costs and added bad-will because of people getting locked out because they don't understand what case sensitivity is would be huge compared to the small chance someone may see someone type their password but not know if that was a capital or not and get in before locking the account out.




Richard rich.ms

 
 
 
 


2958 posts

Uber Geek


  # 989274 17-Feb-2014 22:21
One person supports this post
Send private message

richms: Also the support costs and added bad-will because of people getting locked out because they don't understand what case sensitivity is would be huge compared to the small chance someone may see someone type their password but not know if that was a capital or not and get in before locking the account out.


We pay fees for a reason, I'm fairly sure they have enough spare cash to do a password reset every so often. Plus, the majority of people know what upper and lower cases are. Most places require upper and lower case characters in passwords already, so I'm sure those few people will be used to it soon.




Bachelor of Computing Systems (2015)

 

--

 

Late 2013 MacBook Pro with Retina Display (4GB/2.4GHz i5/128GB SSD) - HP DV6 (8GB/2.8GHz i7/120GB SSD + 750GB HDD)
iPhone 6S + (64GB/Gold/Vodafone NZ) - Xperia Z C6603 (16GB/White/Spark NZ)

Sam, Auckland 


36 posts

Geek

Trusted
ASB

  # 989291 17-Feb-2014 22:31
4 people support this post
Send private message

Hi everyone and please allow us to contribute to this discussion on password features. We have been reading your comments and have interacted with many of you previously on this issue when you have raised your concerns directly with us. We acknowledge that customers want to be able to use longer passwords and passwords that are case-sensitive. As a few of you have already pointed out, two-factor authentication is available either by SMS or token if you'd prefer an extra layer of security each time you log in. Some risks to password authentication, such as phishing and theft by malware, are not solved by stronger passwords so two-factor authentication remains a good option.

We currently have a programme underway which will address many of the concerns raised here. At present we don't have concrete delivery timeframes that we can share with you, but we undertake to do this when we are able to. Password security is a complex area, and as it affects nearly all of our customers, we want to make sure when we introduce changes that we get it right. For those of you who would like to be involved in user testing an early release, please email us at social.media@asb.co.nz and we will be in touch closer to the time.

We do reiterate that two-factor authentication is an option you can enable at login. There is no charge for the SMS messages, or if you prefer a token there is a monthly $1 charge (ideal if, for example, you travel overseas). This can be enabled within FastNet Classic via Personal Details/Set Netcode at Sign on. You can also set your Netcode daily limit to be as low as you like (down to $1) depending on your risk appetite. This will trigger a Netcode for those eligible payments over that cumulative daily limit. Lastly, our fraud team is constantly on the go behind the scenes, reviewing suspicious transactions and alerting customers about unusual activity on their accounts.

Thank you again for all the frank feedback and comments on this thread, and we look forward to sharing the changes with you when we are able to.

- Fiona Colgan, General Manager Digital




Social Media team, ASB Bank Ltd www.asb.co.nz/social

22336 posts

Uber Geek

Trusted
Subscriber

  # 989311 17-Feb-2014 22:46
One person supports this post
Send private message

Can we just PM you our customer ID to get in on anything new and improved instead?




Richard rich.ms

19282 posts

Uber Geek
Inactive user


  # 989323 17-Feb-2014 23:04
Send private message

richms: Can we just PM you our customer ID to get in on anything new and improved instead?


Not that simple as often documents need to be signed



2364 posts

Uber Geek

Trusted
Subscriber

  # 990057 18-Feb-2014 22:47
One person supports this post
Send private message

ASBBank: ......Thank you again for all the frank feedback and comments on this thread, and we look forward to sharing the changes with you when we are able to.

- Fiona Colgan, General Manager Digital


Hi Fiona, thanks for the comments, I'm glad its been brought to your attention and that you are looking to make improvements to simply using basic crypt.

Given the awareness should we expect your website to be updated to remove mention of case sensitivity being employed?


 
 
 
 


36 posts

Geek

Trusted
ASB

  # 990802 19-Feb-2014 22:13
Send private message

insane:


Given the awareness should we expect your website to be updated to remove mention of case sensitivity being employed?



 

Thanks for your question. That particular wording you’ve linked to in the first post on this thread actually refers to FastNet Business, our internet banking platform for business customers. Our website is correct - those passwords are case sensitive and should be 8-10 characters in length. Our primary focus in the programme mentioned above is on FastNet Classic.  We’ll keep you posted! Thanks - FC

3095 posts

Uber Geek

Trusted
Subscriber

  # 990850 20-Feb-2014 00:03
Send private message

Talkiet: I raised the issue with Westpac a while ago and didn't let go... Their "security people" ended up staunchly defending the case insensitivity of their online banking passwords saying that it was "entirely secure"

I know all about how legacy systems can cause unbelievable password constraints, but I would have thought a bank might have the funds to sort it... After all, it's not like they are that poor.

Cheers - N


I've actually raised the issue with both ASB and Westpac before.  I'm rather pleased to see ASB's response in this thread, since their response at the time was that it's not an issue because "we have 128 bit encrypitation" on the online banking pages, and Westpac responded that it doesn't matter since if anyone does steal my money I'm protected by Online Guardian and their Zero Liability policy (note: I've literally only ONCE been challenged by Online Guardian - it even ignored when I did a bunch of transactions in Australia despite never having left the country in my life!)

3295 posts

Uber Geek

Trusted

  # 990947 20-Feb-2014 09:47
Send private message

Kyanar: I've literally only ONCE been challenged by Online Guardian - it even ignored when I did a bunch of transactions in Australia despite never having left the country in my life!

You'll probably find their algorithms are a bit more sophisticated than you think.

563 posts

Ultimate Geek


  # 990996 20-Feb-2014 11:08
Send private message

kendog: Why do strong passwords matter when you only get four attempts to login before the access is locked?
My password is not strong, but I can't see how my banking is at risk.



I have to agree with 'kendog'; passwords need only be sufficiently entropic to withstand until brute force detection measures kick in (assuming these measures are adequately in place - i.e. unlikely to be guessed in 4 attempts).

Any backend use of these passwords (authentication / encryption) should be restricted to a sufficiently randomly individually salted derivative of the original password (i.e. a HASH).

That being said there's really no reason to limit passwords to the degree imposed by ASB (and apparently most banks) and "Password security is a complex area" is a decidedly non-answer by ASB especially in a technical forum like this with members working for telcos, banks, Govt agencies etc and understanding full well these 'complexities'.

I suspect the answer to be much more mundane along the lines of "that's all the plain-text fixed-length fields in our 50 year old COBOL system can handle"..

Also: +1 to 2FA





2457 posts

Uber Geek


  # 992041 21-Feb-2014 21:46
One person supports this post
Send private message

kenkeniff:
kendog: Why do strong passwords matter when you only get four attempts to login before the access is locked?
My password is not strong, but I can't see how my banking is at risk.



I have to agree with 'kendog'; passwords need only be sufficiently entropic to withstand until brute force detection measures kick in (assuming these measures are adequately in place - i.e. unlikely to be guessed in 4 attempts).

Any backend use of these passwords (authentication / encryption) should be restricted to a sufficiently randomly individually salted derivative of the original password (i.e. a HASH).

I suspect the answer to be much more mundane along the lines of "that's all the plain-text fixed-length fields in our 50 year old COBOL system can handle"..



The issue is if you don't make them complex enough, you end up where people just reuse crap passwords everywhere and the whole storing them in plaintext thing doesn't help this (Or crap passwords like "password1" that are easily cracked if you don't use bcrypt/scrypt/PDKDF2) when sites get their login databases "stolen" and publicly dumped.


563 posts

Ultimate Geek


  # 992044 21-Feb-2014 21:54
Send private message

kyhwana2: ...
The issue is if you don't make them complex enough, you end up where people just reuse crap passwords everywhere and the whole storing them in plaintext thing doesn't help this


 +1


(Or crap passwords like "password1" that are easily cracked if you don't use bcrypt/scrypt/PDKDF2) when sites get their login databases "stolen" and publicly dumped.


Which is they should be stored as [SALT=HASH(RAND())] AND [HASH(SALT + "password1")]





16 posts

Geek


  # 992283 22-Feb-2014 12:32

ASBBank: We currently have a programme underway which will address many of the concerns raised here. At present we don't have concrete delivery timeframes that we can share with you, but we undertake to do this when we are able to. Password security is a complex area, and as it affects nearly all of our customers, we want to make sure when we introduce changes that we get it right ....


Although I do appreciate ASB's reply in this thread, it reads more like a typical PR response trying to downplay the seriousness of the underlaying issue.

Just like kenkeniff suggested it is quite reasonable to believe that the ASB imposed limitation on passwords is based on the incapability of one of their internal systems.

ASB has been aware of this limitation ever since they introduced FastNet and BankDirect in 1997 and there is no excuse for ignoring this for such a long time.

ASBBank: We acknowledge that customers want to be able to use longer passwords and passwords that are case-sensitive. As a few of you have already pointed out, two-factor authentication is available either by SMS or token if you'd prefer an extra layer of security each time you log in ....


This is not just about what kind of password a customer can choose. The fact that ASB limits the length of passwords, which characters it contains and disregards case sensitivity indicates that it's very likely that the passwords are being stored in plain text on the backend.

This has much worse security implications than the complexity of a chosen password.

It is time that the ASB execs take this seriously and let the ASB IT team do their job. Waiting until a serious breach occurs or the media covers this will be more costly than allocating the resources needed to address this.

1990 posts

Uber Geek

Trusted

  # 992398 22-Feb-2014 16:59
Send private message

nzkc: They're also restricted to 8 characters.  I brought this up with them on Twitter - got nowhere with them.


Apparently that is a limitation of their ancient core banking software as it has evolved over the years, apparently cant be changed without a major system upgrade. Kiwi Bank have announced they plan to fully replace their core banking system, and have sparked comments that its such a massive project it could kill a small bank like them if they get it wrong.

I think when I signed up with ASB the password had to be 8 characters, and could only be numbers or lowercase letters at that time.




Qualified in business, certified in fibre, stuck in copper, have to keep going  ^_^

1 | 2 | 3 | 4 | 5 | 6 | 7
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Disney+ streaming service confirmed launch in New Zealand
Posted 20-Aug-2019 09:29


Industry plan could create a billion dollar interactive games sector
Posted 19-Aug-2019 20:41


Personal cyber insurance a New Zealand first
Posted 19-Aug-2019 20:26


University of Waikato launches space for esports
Posted 19-Aug-2019 20:20


D-Link ANZ expands mydlink ecosystem with new mydlink Mini Wi-Fi Smart Plug
Posted 19-Aug-2019 20:14


Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26


The Document Foundation announces LibreOffice 6.3
Posted 9-Aug-2019 16:57


Symantec sell enterprise security assets for US$ 10.7 billion to Broadcom
Posted 9-Aug-2019 16:43


Artificial tongue can distinguish whisky and identify counterfeits
Posted 8-Aug-2019 20:20


Toyota and Preferred Networks to develop service robots
Posted 8-Aug-2019 20:11


Vodafone introduces new Vodafone TV device
Posted 7-Aug-2019 17:16



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.