[walrus01]

You think that's bad, there's major Canadian banks where the password for your online banking account can't be longer than 8 characters or numbers, can't contain punctuation marks, and is stored in plaintext on their backend.

Edit: oh yeah, I forgot, it also doesn't recognize case sensitivity. A = a

I'm assuming they're storing them in all caps, 8 character length database fields on a monstrous ancient mainframe software application.

[solatic]

For what it's worth, such password schemes usually include lockouts after small-N tries to prevent the passwords from being brute-forced from the outside, and an attacker with database-level access is probably going to use it not to compromise passwords but to directly change balances.

Not to excuse such password schemes - they're horrible, and banks need to get with the times - but if they were really so ineffective, their coffers would have been drained long ago.

[jjeaff]

Full write access to a database is a totally different thing than reading out the plaintext passwords or getting a leaked dump of the data. Perhaps a mishandled backup.

[solatic]

Which is one of the reasons why these schemes are horrible. But the point remains that banks are afraid of database leaks for other reasons.

Maybe think of it like this: imagine that you have an airgapped system where all the endpoints are running Windows XP (reasoning being something like hardware drivers that were written by defunct companies and can't / won't be upgraded). Is it horrible that such machines are running unsupported, EOL versions of Windows? No question. But if there are other controls in place (like airgapping, like 24/7 physical access control to the endpoints), it might still be possible to provide de-facto effective security.

[eitland]

Not quite as bad but I got a letter recently from something bank-ish (huge, international, traditional) that contained some serious admonitions including one about never using password managers or writing down the password in any way, concealed or not didn't matter.

I have problems taking any security advice seriously from such companies after that but since I fully expect them to use ut against me if I ever have to file a fraud complaint I guess I'll have to deal with it - and get another account with a company that isn't braindead when it comes to security.

[mgkimsal]

seems to be continuing the pattern of shifting responsibility. 20 years ago, we had 'bank fraud', but now much of that same activity is 'identity theft'. This shifts the burden from 'their' problem to 'my' problem.

[pmalynin]

Yeah...I’m with one of those banks. It’s really bad.

But hey they require security questions!

It’s 2019, how can this be...

[chelmzy]

Sounds like a mainframe-based limitation. Our mainframe behaves exactly like that.

[rnotaro]

I never realized that my bank (Desjardins) was not recognizing the case sensibility.

Do you have a source about the plain text passwords claim? I won't even be surprised if that's true.

[walrus01]

From people I know who've interacted with the customer service representatives, in particularly weird/complicated situations once you've reached the second or third tier of people who resolve unusual problems, and authenticated yourself, it's possible to get them to read back your own password to you.