[xorgar831]

I've seen equally as ridiculous web bugs, computing prices browser side in javascript, credit card numbers encoded in REST API endpoints, financial websites not supporting 2FA at all or mixing http requests into the sites. We're solidly in the dark ages of web security still.

[Itsdijital]

When I went to setup my online account for my old bank, I entered a randomly generated 16 digit key and got an error; "Maximum password length limited to 6 characters...only alpha-numeric"

I called to inform them that their account creation was broken, because obviously that was a bug. They told me that sometimes people have a hard time remembering their password, so they "need to balance between ease of use and security". My jaw dropped and my head rolled off my shoulders.

I didn't setup an online account.

[xioxox]

It seems standard practice for German banks to limit online passwords to five alpha-numeric characters. Fortunately, you need a TAN number (generated by a device or from an SMS message) to actually make a transaction. I have no idea why they limit the password length like this.

[pluma]

I'm guessing it's five characters so people don't just use their four digit PIN. I don't have any explanation for why they would limit it to five characters though, or why it has to be alphanumeric.

That said, Comdirect seems to offer regular passwords or six digit PINs and Bank of Scotland (in Germany) seems to also offer regular passwords.

But there are plenty of other offenders. For example my energy provider E-wie-einfach requires a mix of alphanumeric characters but forbids pasting and autofill (the latter of which luckily Chrome simply ignores).

I don't know what idiot ever came up with the idea that disabling paste makes logins more secure (only justification I've ever heard was about preventing brute force attacks, proving an utter lack of understanding of the technology involved) but sadly it's still a thing and it still leads to people using trivial and easy to type passwords.

[tttttttttttt]

The justification is a rootkit which intercepts copy-paste but not the password field

[pluma]

Sure, except then it would intercept the copy, not the paste. And it basically trades clipboard vulnerabilities for keylogging vulnerabilities.

A more realistic exploit is a Flash banner on another tab intercepting the password in the clipboard. This is why offline password managers automatically expire the clipboard though.

The danger of discouraging complex or long passwords is far greater than either of these two attacks, both of which rely on the user's system already being compromised.

[kuschku]

Commerzbank actually uses 8 characters, but that’s still horrible.

Luckily, you can also require all transactions to be done via HBCI with proper security and a smart card for auth.

[necessity]

Heh, both my banks (Banco do Brasil and Santander) are worse. 6 characters, numbers only! "For my safety" they recommend not using my birthday - how thoughtful.

[Moter8]

It's the personal identifier (Kinda like social security number I guess? You write it on every contract you sign basically) and a 4-digit pin here in Spain. Stupidly insecure.

[woliveirajr]

But then you (you= any person) have to consider that it'll block after some tries.

It's different from a system that never blocks passwords, security questions, and so on.

[Drdrdrq]

Great, then it's a DOS attack. Unless it is limited per IP, and then it's not effective again if attacker has a botnet.

[robryk]

Attacker's first attempt has a nonnegligible chance of success. Attacker can just do one attempt against one account and move to attacking a different account after each failure.

[jlgaddis]

It's been a looong time ago but I remember when some instant messenger application was found to be performing authentication client side -- i.e. "Hey server, I'm $user. I promise!" and you were in.

I want to say it was Yahoo Messenger but my memory could very well be lying to me.

[Matt3o12_]

WhatsApp used to use your devices MAC address for authentication. A quick screenshot of the vicitim's settings page would be enough to send and receive messages in their name. Since whatsapp does not store messages after they have been delivered, the victim would never see the messages sent from his whatsapp number (except when looking at the recipients phone). You could, however, realize that your account has been hacked when you notice that some messages were not arriving (they would arrive at the attacker's client only and whatsapp will not transmit already recived message again).

The only fix was to buy a new phone and hope nobody will make a screenshot of your settings page again (or spoofe your MAC address which would not always work).