[DomBlack]

It always concerns me when big companies like this do weird things when it comes to passwords. Why do banks for instance have stupid password requirements; max lengths, disallowing certain characters, etc.

Surely if they are hashing the passwords in any form then it doesn't matter how long the password is or what characters it contains.

I understand perhaps the view is some people are not good at remembering passwords and so would forget a complicated password - but they are unlikely to use a long password or special characters if that's the case.

Or am I just missing something major here?

[wzdd]

The last bank backend I worked around was composed of several interacting systems, written 30 or 40 years ago in COBOL, which ran batch jobs overnight and communicated with each other by writing files to disk. We were strongly encouraged to get the format of the file exactly right, or the batch job in question wouldn't run and nobody would be able to sort it out until morning. Passwords weren't involved but, if they had been, I am quite sure they would have been stored verbatim.

So, two problems: multiple interacting systems, which means you can't just fix one, you have to fix all of them; and lots of legacy code. Versus: there would certainly be quite a lot of pain to implement a new system, and the old one appears to be working.

[cLeEOGPw]

So it's a problem where the system must be kept up running no matter what and refactoring everything might cost more than having some security threats? Or is it just plain greed and "while it's working now, why fix it?" kind of thing.

[frou_dh]

> ... stupid password requirements; max lengths ...

> ... if they are hashing the passwords in any form then it doesn't matter how long the password is ...

Max lengths aren't inherently stupid. Presumably no one thinks 250MB password submissions should be handled, so you will be picking some number (possibly imposed on you by your stack).

[Spittie]

A 250MB requests should get blocked by your web server way before it touches your code or your database.

But yes, you're right, limiting passwords can help avoiding edge cases where a long password is not handled correctly ecc... Just pick a sane length that no-one will hit, like 1000 chars or more.

[TheLoneWolfling]

English has at least ~0.6 bits of entropy per character, probably (much) more, depending. (Got that from Wikipedia, so don't know how accurate that is)

So even if you are using an English passphrase, the logical upper bound for a max password length is ~1.7x the length of the hash you use.

[lmm]

If you're hashing it who cares if someone wants to submit a 250MB password? They'll only be slowing their own session down - what I store in the database is always 256 bits either way.

[calpaterson]

Because your app has to load it all into memory. Submitting many, very large payloads is a well known denial-of-service attack

[michaelt]

Like a good developer, you run passwords through a slow hash function. This leaves you vulnerable to denial of service by wasting CPU hashing huge passwords: http://arstechnica.com/security/2013/09/long-passwords-are-g...

[frou_dh]

Predictably this just regresses to what constitutes a big number. Take your pick for one that would cause noteworthy resource consumption in a given system.

[mcherm]

I think you failed to understand the second point you quoted.

A 250MB password should be perfectly valid (if a bit foolish on the customer's part). That 250MB password will be run through scrypt by javascript running on the browser. (That may take a while, and a large amount of memory, but this is part of the CUSTOMER'S stack, not the server's.) Some amount, perhaps 512 bits worth, is then passed to the server. (Where it is run through another hash and then stored.)

[bradleyjg]

It's not at all common or best practices to run an expensive key derivation function browser side. Doing so adds little to no additional security -- if you don't trust the TLS channel then you are screwed any way you look at it.

[KMag]

It's not common, but running an expensive KDF client-side still greatly slows down a bruit force attack if the password hashes are stolen, without increasing load on your server. The fast one-way function run server-side then prevents the client from being able to submit a stolen hash, forcing an attacker with a list of stolen hashes to perform the full expensive bruit-force attack.

[nollidge]

> That 250MB password will be run through scrypt by javascript

No, it will not. Nobody does this.

[frou_dh]

I didn't fail to understand it. Doing that clientside in JS is an anomaly.

[danpalmer]

In the 1980s I don't think hashing passwords was common, it would have taken too much processing power, and the database fields on the mainframe don't support weird characters or a length of more than 8 characters.

I wish this wasn't the case, but these systems are so old behind the scenes, that lots of it simply can't be changed without massive re-engineering. I have friends that work for a company who transfer COBOL applications from mainframes to JVM COBOL running on standard servers, it's a massive task, and takes years and lots of money.

[crbaker]

It will take these organisation years and lots of money to rebuild their reputations when their security malpractices catch up with them.

[danielweber]

I would love this to be true, since it would basically double my net worth, but it's very rare for a security incident to kill a company. Target is the exception, and just required two human sacrifices.

[danielweber]

It was standard to hash passwords in /etc/passwd back in the 1980s.

Still, when you pin code is limited to 1 million combinations, all the hashing in the world isn't going to save you. You need to keep your DB secure, no matter what, and that's where resources were applied.

[raesene3]

Some of this kind of system won't actually hash the password but encrypt it and use an HSM to secure the keys.

Wherever you see a password prompt where the ask for specific characters of the password, they're either doing this or shudder storing it in the clear.

[nly]

Ditching symbols makes reciting passwords easier for telebanking.

[LukeB_UK]

Telebanking should use a completely different password.

[nodata]

What if the password is one character long?

[bsilvereagle]

DomBlack is referring to max length. For example several banks limit you to a 12 character long password and then don't allow special characters.

[belorn]

If a bank use passwords at all, its a big red sign that they only care about the appearance of security. A password do not strongly identify a person, and should not be used for anything that involve high value and easy stolen property.

Most banks I know uses pin and either a hardware token or a bound smart phone. Its far from perfect, but at least someone has to steal a physical object or hack the phone system to start their brute-force attacks.

[err4nt]

"Most banks you know"? I'm genuinely curious, I don't know of any bank like that in Canada, and I'm in the US weekly and I've never heard or seen it there. I've seen token generator keychains, but what do you mean about the phone?

[VLM]

"what do you mean about the phone"

Both my personal use credit union, and the bank my volunteer gig uses, have an outsourced authenticator who logs the ip addresses I use, and if I'm attempting to log in from a new address they SMS or voice call a number on file with a six digit number I type in to authenticate the new device. Neither the CU or bank have anything to do with each other, but use the same system, so I'm guessing its some kind of nationwide outsourced system that "many" financial institutions use.

Still have to enter your password to verify its me on my computer today, and not my kid screwing around on my computer, they only SMS authenticate perhaps once a month.

The same outsourcer apparently does password recovery when you get locked out. The bank requires full password recovery process if you don't log in for 45 days, which is an unholy annoyance for a sleepy volunteer org. The life of a treasurer is never easy I guess.

Its moderately annoying as my phone lives on its charger in the bedroom if I'm at home, and the desktop in the office is at least 75 foot walk away, so when the authentication service feels like pulling my chain, I swear a lot and make a trek and inevitably the login times out so I have to start all over again once I fetch the phone. Which fits in with stereotypical security theater, you "win" if you make it inconvenient, no need to actually make it secure.

(edited to add I live in the USA, upper midwest, vaguely near Chicago, everyone else responding is at least 4000 miles away, I interpreted your request as how they use phones to auth in the USA, so, well, this is how they do it)

[aylons]

In Brazil, most banks use two-factor authentication in some form for internet transactions.

One of my banks gives me the option to receive the code through SMS, generate it through a phone app or with a dedicated keyring token. This is a option I can make at the time transaction-time.

The other requires me to authenticate each new machine I login from, through an SMS. A bit less secure.

Biometrical authentication is also a thing. The biggest banks already have some form of it (fingerprint or hand palm), and I can even make transactions w/o a card, using only fingerprint and password. Actually, I only carry credit cards nowadays, the bank account card stays at home and use fingerprint to withdraw.

[dagw]

I've been online banking in Norway and Sweden since 1999 and I've never seen a bank that just uses passwords.

For phones you download an app and enter a unique security code that you get from your bank. This, combined with some uid on your phone, creates a unique salt and basically ties that copy of the app on that phone to your bank account, so only your phone can log into your account. Your phone now becomes the "something you have" in addition to the "something you know" (your chosen bank password)

[emeidi]

Every Swiss bank I have accounts with (Credit Suisse, Postfinance, Raiffeisen) have internet banking protected with two factor authentication. The second factor can either be a chip card with a reader (protected by a PIN, and you then enter a code shown on screen and it returns another number), an SMS token or an iPhone app which reads a picture of the screen (!) and returns another token number (with a SMS token fallback).

[afro88]

It's pretty standard in the UK

[davb]

None of my personal accounts in the UK use two factor authentication. Same goes for the majority of friends and family.

Only one (former) account ever done this, and it was own used when adding a new payee records. It used EMV CAP (http://en.wikipedia.org/wiki/Chip_Authentication_Program) with a separate smartcard (not my EMV compliant debit card).

All of my business accounts offer two factor authentication, recently shifting from SecurID-style TOTP tokens to EMV CAP authenticators.

[72deluxe]

Barclays bank uses two-factor authentication for logging into their online banking (using your card, so that you have to enter you PIN for your card on the little authentication machine to get a code to log in), although you can also set up a PIN to log in without it (I haven't bothered - it's safer not to, right?!). You also need your membership number and a memorable word AND a number as far as I can remember (I do it automatically now)

They also require this authentication step to be carried out for sending money to someone else online for the first time. They also require you to enter your PIN against your card using the same mechanism when you go into a branch, as they cannot access details about your account without you doing it. I suspect it stopped people mugging others and they walking as saying "Can I withdraw £100 on this account here please?" with the card they'd just pinched.

The Barclays one is called PINSentry and they've had it for nearly 10 years I think? My device still hasn't ran out of battery (it gets switched on when you insert your card).

My wife is with Natwest I think and she needs the little card device for setting up new payments but logging in does not need it.

[lsh]

NAB (National Australia Bank) require a bound mobile phone for a lot of operations. Its a real pain, given that I now live overseas.

[chrismorgan]

I don’t have a mobile phone; my experience with NAB’s Internet banking is that there are a few things which want that, such as viewing or changing daily limits, but so long as you never set up SMS Alerts just about everything else is fine. I don’t believe I’ve ever run into any problems with them due to not having a mobile phone. If you’ve already set up SMS Alerts, I don’t know what the situation is.

[fwr]

Do you not have to confirm outgoing wire transfers by inputting a code sent to your phone?

[barry-cotter]

Americans don't do wire transfers, they write checks. The level of kidding in the previous sentence is extremely low.

[NateDad]

Wire transfers tend to have a $35-$50 fee and require you to schlep down to the bank during business hours and fill out annoying paperwork. So, yeah, we don't use them except in emergencies.

[mcv]

Do we have a misunderstanding of the meaning of "wire transfer" here? Surely you can just send money to someone else's account through the bank's internet banking website?

How else do you pay for stuff like rent, and, well, anything, really?

[VLM]

I believe you're a UK but no offense intended if you're not. As an actual american I only write about three or four checks per year, everything else is online.

We do pull and push.

Pulls are an unholy PITA to set up where you give them all kinds of personally identifiable information which they hopefully won't lose, then they make multiple couple cent deposits to your account, then you tell them what the amounts were and they tell the bank, which creates a certain relationship which in the Future is very historical trust based. So click here on your car insurance site to make your biannual car insurance payment exactly like the last 20 payments (well, slightly different amounts, but ...) Ditto the mortgage website, the electric bill, a couple others. Basically very long term relationships, I'm unlikely to just randomly stop paying the monopoly electricity provider. This is a direct acct to acct transfer.

Pushes are easy to set up but more of a pain to use on a monthly basis. No one has control over pushes other than yourself. You send money to a postal address, and who knows what they do on the back end, individual old fashioned checks or batch up or wire transfers who knows. This is more for credit cards or temporary less formal associations. You go to your bank website, tell them the postal address (they'll save it for later use) tell them how much, click send, off it goes.

Speaking generically, most USA people use credit cards or paypal or the zillions of small time competitors when someone wants money from them, and they interface with the bank for you. So Paypal can eat money directly out of my checking acct to send cash, up to certain limits. This is vaguely ATM like, sort of a web interface to a ATM. Or it just gets added to the CC balance. So it would be really weird for me to pay directly for gasoline or even food, I generally CC that, and then send one very large "push" bill payment from the bank to the CC per month.

So Americans mostly do electronic pushes, pulls, and aggregators online, although we do have checks for non-electronic people.

I write a check to the school district for book + other fees, like $50 per year per kid. Technically its illegal to demand payment for free public schools but the PTO spends it on "free" after school activities so its kinda a donation and I think we get our monies worth. Also my wife buys an organic grown fraction of a cow from a local farmer every year or so, and the butcher shop takes electronic for processing but the old school farmer still does paper checks. Some tradesmen (plumber, carpenter) only take old fashioned paper checks, although that is very rapidly changing as they all get smart phones. I switched to a CU probably 7 to 10 years ago and since then I've written a couple dozen checks total, I'd have to find it to verify because I keep it locked up.

Some really old people, like non-computational, obviously write a lot of checks. I have an elderly uncle who had to pay an extra bank fee for writing more than two dozen a month, which seems weird to me.

Poor people with serious legal / financial issues are unbanked and mostly go pure cash. There's a whole industry grown around ripping off those people when they try to interface semi-legally with the financial system. This is probably less than 1/4 the population. Like if you owe child support or a court judgment, all your electronic money will simply disappear, but not your cash, leading to some peculiar behaviors.

[72deluxe]

Wow, this sounds insane. Here in the UK they have recently improved the electronic transfer system so that money appears in the other account (clears) in 2 hours or less (practically instantly for accounts at the same Bank). I do not know whether large bank transfers using BACS or CHAPS incur a fee but most people happily send money to other people electronically as few people have cheques anymore. The banks seem to have stopped issuing cheque books, and no shop that I know of will accept them, so it effectively killed cheques. The older generation probably struggle without them.

They have recently pushed out the mobile payment system called PAYM (someone obviously got paid a fortune to think of pay + mobile, eg. pay + m ... . . paym) where you can send money to anyone else with their mobile number. They need to have registered their mobile number with their bank for this to work (and not all banks have signed up to the system) but it should make sending money really easy.

People seem to use Paypal a lot for sending money around but they're greedy with fees so I am keen for this PAYM system.

[mcv]

A pin is just a very short password. A bank using only a password would of course be ridiculously negligent. All banks I'm familiar with use 2 levels of authorization: 1 to log in, 1 to authorize payment.

I have 2 bank accounts. One with ING (a major Dutch/international bank), which uses a password (without special characters unfortunately) to log in, and an authorization code to authorize payment. In my case, that authorization code comes from a piece of paper with a bunch of one-time codes on it. This is an old system that dates back to when you called them directly by modem, rather than over internet. Nowadays I could also have the code sent to my phone. But phones can also be stolen, so I don't see the point.

My other account (at Triodos, a much smaller Dutch bank) uses a pin + hardware token at both stages. I wouldn't also having a ridiculously long password there.

[aianus]

All of the bank accounts I have in Canada let me send $2000 with nothing but a password. They also won't let me use non-alphanumeric passwords and don't support any two-factor authentication. Same in the US.

Of course, if anyone did try to steal my money this way, the bank would reverse the transfer and give it back to me.

[mcv]

Sounds very insecure for a bank. Will they really automatically reverse any transfer you object to? What if they don't control the target account? What if there's no money on the other account anymore? What if it was a legitimate payment, you got what you ordered, and then you had the payment reversed?

I see a big hornet's nest of potential problems in a system like that.

[aianus]

I guess they try to pull it back and if it's not possible they eat the cost. I imagine any bank that tried to force people to use 2FA and/or get rid of the zero-liability policy would lose a lot of customers.

[alistairSH]

Not in the US. Not one of my banks or other finance-related websites uses two-factor authentication by default. I haven't looked to see if any offer it as an option, but I tend to doubt it (it certainly isn't advertised).

[NateDad]

The US's personal banking industry is like 20 years behind the rest of the developed world. Not sure why, probably because the banks have all the money to lobby to keep things the same.

[danielweber]

The US's personal banking industry is like 20 years behind the rest of the developed world

People say Canada is a half-generation behind the US in banking innovation, which is generally in Canada's best interest. They've never had a banking crisis.

Not sure why, probably because the banks have all the money to lobby to keep things the same.

This response is worse than wrong, it's assuming bad intentions.

For personal accounts, banks are responsible for your money, even if the hackerz keylog your password and log on as you and steal your money. US banks already have all the incentive in the world to drive down fraud on personal accounts, and yet they seem to have decided it's not worth the time and money to clamp down on it.

Most likely it's because there are always other ways of fighting fraud. The US banking system is full of reversible transactions. From the outside, it sure seems the best use of limited resources is to choke the irreversible endpoints.

[TheCoelacanth]

> The US's personal banking industry is like 20 years behind the rest of the developed world

>> People say Canada is a half-generation behind the US in banking innovation, which is generally in Canada's best interest. They've never had a banking crisis.

The financial crises in the US have all been caused by investment banking, innovations in retail banking are unlikely to ever cause a financial crisis.