818
submitted 3 months ago* (last edited 3 months ago) by cron@feddit.org to c/cybersecuritymemes@lemmy.world

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[-] 9point6@lemmy.world 48 points 3 months ago

I know a bank with a 12 character max, no symbols password restriction.

Ridiculous

[-] nokturne213@sopuli.xyz 28 points 3 months ago

Mine does not allow spaces. They used to use a 4 digit pin as 2FA. Not a new pin you got every time you logged in, the same 4 digit pin.

[-] cynar@lemmy.world 15 points 3 months ago

A lot of bank computing is a complete clusterf@#k. Getting even basic changes and bug fixes requires it being signed off on by various regulators and committees. Apparently, 18 months for a 1 line change is normal. This has ended up with layers of new work being frankensteined onto older systems. E.g. Internet banking, for a long time, physically printed checks, via an automated machine, posted them, and then had them read in, via an automated machine. Hence why Internet bank transfers took 2-3 days.

I had issues with my banks truncating my password a while back. It only looked at the first 8 characters.

[-] AlecSadler@sh.itjust.works 11 points 3 months ago

One of my past banks used to be case-insensitive. They aren't anymore (as far as I know). Their name starts with Key and ends with Bank.

[-] ChickenLadyLovesLife@lemmy.world 2 points 3 months ago

My bank got busted a few years ago for cheating customers using their coin-counting machines. Literally nickel-and-dimed their own customers. They removed the machines and just threw loose cloth over the empty spaces - an ongoing testament to their shame, if they could feel shame, which they can't. Out of sheer laziness I'm still with them.

[-] SkunkWorkz@lemmy.world 1 points 3 months ago

Crazy that there are still banks that use a username and password for login.

[-] tfw_no_toiletpaper@lemmy.world 2 points 3 months ago

What else should it be, aside from additional 2FA?

[-] SkunkWorkz@lemmy.world 2 points 3 months ago* (last edited 3 months ago)

In my country all banks just use, instead of a username, the IBAN plus bank card serial number and they give their clients a hardware token that generates one time passwords. The client inserts their bank card into the hardware token then enter their PIN and gets the OTP to login. And when the client wants to make a transfer the bank generates a code that the client has to enter into the hardware token after entering their PIN to generate an OTP which the client uses to confirm the transfer. And if the client has the bank app installed on their phone the bank website generates a QR code which the client can scan with the app and then the client can login with their biometrics. Of course the client has to activate the app with the hardware token first.

This isn’t that much different from a username, password plus 2FA. But this way it takes out the weakness that is the client. This prevents the client from using an easy password or use a username and password that they use everywhere else. Old people don’t write down their password anywhere since there is no password. But they know their PIN by heart since they use it all their life. And it doesn’t rely on apps or SMS for 2FA. So people without a smartphone or even a mobile phone can still use it. Keyloggers are useless since the PIN is entered on the hardware token. Sure a sophisticated con is still possible but thefts like these https://appleinsider.com/articles/23/12/20/how-a-brazen-passcode-thief-used-stolen-iphones-to-rob-2-million where the thieves can drain a bank account if they just steal the phone and phone’s passcode and reset the 2FA are impossible.

The biggest weakness is ofcourse that if someone knows your PIN and obtains your bank card they can enter your bank account online. So the same security measure still applies with this that you should open a savings account at a different bank than your checking account.

[-] smeg@feddit.uk 1 points 3 months ago

I've seen plenty of UK banks use these card readers to authenticate transfers, but never just to log in

The biggest weakness is ofcourse that if someone knows your PIN and obtains your bank card they can enter your bank account online

So essentially it is 2FA, but the password is short enough to brute-force?

[-] SkunkWorkz@lemmy.world 1 points 3 months ago

No the card will disable it self after three failed attempts.

[-] smeg@feddit.uk 1 points 3 months ago

I assumed as the card readers and cards are both offline devices they wouldn't have a way to do this, are card blocks local in general?

[-] SkunkWorkz@lemmy.world 1 points 3 months ago* (last edited 3 months ago)

Modern cards have a chip inside them that’s basically a very tiny computer. It can check how many times the pin was incorrect.

[-] smeg@feddit.uk 1 points 3 months ago

That's pretty cool. I wonder what (if any) tinkering you can do with a card if you've got physical access and some very precise tools.

[-] SkunkWorkz@lemmy.world 2 points 3 months ago* (last edited 3 months ago)

Even if you could you can’t recover the PIN from it. Since it’s not stored on the card, the chip checks the entered PIN against a secret key with cryptographic calculations if it is correct. But you can’t get the PIN from that secret key. Also if I remember correctly the chip will self destruct, as in wipes it’s data, when it detects that it’s being tampered with.

[-] smeg@feddit.uk 1 points 3 months ago
this post was submitted on 18 Aug 2024
818 points (100.0% liked)

Cybersecurity - Memes

1975 readers
2 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS