| I'm not so sure anymore about the password length limitations (or any other weird password requirements for that matter). For the longest time I was wondering why my bank would ONLY allow a 5 digit password, alphanumerical only and it MUST contain at least one letter as well as one number, while they let you choose your own username completely free of any restrictions, including special characters. After thinking about it for quite some time, I remembered all these sites where your password had to be as least 6 characters (now 8 seems to be a general minimum). By forcing users to use EXACTLY 5 characters at least you cannot use the SAME password your already using for your mail and whatnot, except for the fact that there is nothing preventing your from simply dropping the last character (but you sure would NEVER do that, would you ;-), assuming of course you already have letters as well as numbers within the first 5 characters. While 5 characters seems extremely weak, If you get it wrong 3 times, your account is locked. Locked as in "you have to call them and identify yourself with A LOT OF DETAILS about your account and transactions" to unlock it and reset your password. I have no idea how they store passwords and it doesn't really matter to me, while it probably should. They are a BANK and if they get hacked and their customer password database gets compromised, I am sure they will have worse problems to take care of. What I would really like to see is their evaluation of security versus added support work for locked accounts. |
80% of the customers getting locked out of their bank accounts at 5 PM on a Friday only happens once before the bank changes policies to something that allows the attackers to perform a rate-limited attack on the 5-character passwords. The new lockout policy goes into effect before the bank can force everyone to upgrade their passwords.
GAME OVER