[tialaramex]

In practice your bank password is indeed a secret, and that's a bad thing, because that above definition is wrong, which is why I prefer to think about the U2 lyric (from "The Fly"):

"They say a Secret is something you tell one other person, so I'm telling you, child".

The bank knows your password. Which means they (or more precisely their agents, employees, etc.) can lose it yet they'll probably try to blame you.

It is possible to not have this happen via what's called an Augmented PAKE - the bank wouldn't know your password, but they'd be able to check you still remembered it - however almost certainly none of the systems you use today do this.

[coldtea]

>The bank knows your password. Which means they (or more precisely their agents, employees, etc.) can lose it yet they'll probably try to blame you.

Normally banks can't and shouldn't know the password in most jurisdictions. It does pass to their server, but they're supposed to only store a hash of it, so not be able to know what it is.

But if anybody makes this BS argument, just ask them for the credit card number and the 3 digits on the back of the card, telling them you will post it online.

[joebob42]

Don't they usually store a hash of it? And doesn't it therefore for the most part work exactly the way you say it ideally should?

Of course leaking the hash of my password might make it easier to crack, to some extent, but if they've done a good job then this is much better than it being something the bank can trivially lose.

[tialaramex]

> Don't they usually store a hash of it? And doesn't it therefore for the most part work exactly the way you say it ideally should?

Putting aside the banks who literally do store the password because they have security procedures like "Please enter the first and fifth characters of your password" even those that do store a password hash still need you to submit your password to authenticate.

So, like the lyric says, you tell the bank your password. You hope they just use it to authenticate you and immediately discard it, but if bank security lapses are anything to go by they're probably logging it "for security" and there are definitely employees able to snoop the decrypted plaintext passwords from customers on some internal teams.

That is what Augmented PAKEs fix, it's really hard to do well, and of course banks see themselves as infinitely trustworthy so why would they bother.

This mistaken sense of self-worth applies to your credit card PIN by the way also, of course banks and thus bank employees can know your PIN, which means when a purchase is "secured" by the PIN that rules out some local pickpocket having made the purchase, but as well as you it leaves open the possibility that it was a bank employee or their co-conspirator.

[u801e]

> Don't they usually store a hash of it?

Any bank that restricts which characters one can include in a password probably doesn't store a hash of it.

[shkkmo]

This is completely false. You validate any password requirements before salting and hashing the password and then store the salt and hash. Even if you restrict usage of previous passwords, you are just comparing hashes.

[u801e]

If the bank is indeed salting and hashing the password, then what's the rationale of allowing certain special characters like '!', but not '+'? Hashing and salting should be character agnostic.

[Xorakios]

Some special characters are not processed as one might expect, particularly by implementations of languages such as COBOL, which is still used on the server side by many banks, insurance companies and government agencies where consistency is paramount.

"#" can mean phone number "+" or "&" can mean concatenate variables

It is vastly easier to screen out possible problems at the user/browser level than rewrite zillions of lines of legacy code.

[jimmydorry]

Except you are giving them the password and trusting them to discard it after validating it. If it's purely client side, then the bank is trusting you to follow the password requirements which is also out of the question.

[shkkmo]

Whether hashing is happening client side does tell you a little, though in most cases most users are still trusting the client side software to not exfiltrate the password before hashing it.

Even with Client side hashing, the software can still validate password requirements on the client side, you may be able to bypass those requirements by modifying the client side software.

So still no, having password requirements tells you nothing about whether the password is being stored in the clear or not. The statement that I disagreed with is still completely false.