[jnbiche]

>Bank security systems are designed and administered by people of the same calibre who design and administer many startups, including crypto-currency products.

Then why is it that I have frequently run across banks requiring a maximum 6- or 8-character password, and have never run across a startup -- Bitcoin or not -- with such poor security requirements?

[ZenPro]

Which banks specifically secure online data only using a 6 character password?

Most banks, if not all, have BSI ISO27001 security certification and are accredited and administered by the pinnacle companies of the security industry.

For comparison; HN has a multitude of threads listing the outrageous security practices of many crypto-currency related companies, some beyond start-up.

You seem to think banking security is simply a bunch of guys in suits simply having a crack with a copy of ZoneAlarm and Kaspersky. Classic them v us ideas with a touch of Dunning-Kruger thrown in.

[pjc50]

Yes and no; while the banks have avoided widespread compromise they often have weird password requirements or ham-fisted attempts to secure user's PCs with crapware like Trusteer Rapport: http://www.pcpro.co.uk/realworld/359617/is-hsbcs-security-so...

For a while Santander's login system redirected my wife's account to a page with an expired HTTPS certificate.

Then there's fun things like playing tetris or MITM attacks on the Chip and Pin terminals: http://www.saardrimer.com/sd410/pres/showandtell08.pdf

(Obviously mtgox is worse, but my point is that banks tend to a proceduralist cargo-culty approach to security).

[ZenPro]

That is a nice link to the chip and pin compromise although APACS did cover it

>> We believe that the risk remains very low. [This attack] is significantly difficult to industrialise to the numbers of devices that would gain criminals the return they would expect and, therefore, not economically viable to criminals.

I am not saying banks are perfect, no organisation is, but they are certainly not just old men in conference rooms wondering what the little 1's and 0's mean. Some bank security consultants are the best penetration testers in the world.

[jnbiche]

Where did I say anything about bankers sitting around with a copy of Zone Alarm? That comes entirely from your own imagination, as did your ad hominem attack.

The only thing I mentioned was the verifiable fact that some banks limit passwords to 6-8 characters, also detailed in a multitude of HN threads.

[icebraining]

Often the problem is legacy systems. Startups usually don't have big and old mainframes dealing with huge volumes of transactions, they can just build the authentication system from scratch or use a modern library.

[nhaehnle]

A 6-character password is only insecure if you have unlimited attempts to guess it. If an attacker is blocked after something like 10 attempts, a 6-character password really provides all the security you need.