WellsFargo Ignores Case Sensativity on passwords
To everyone who has a WellsFargo bank account: Call up their online banking and talk to a representative and ask for a FREE RSA token to add 2 factor authentication to your bank account.
Wells Fargo DOES NOT respect case sensitivity in passwords. ABC123 is the same abc123, your password strength is getting cut in half. Call and demand a free token - # is 1-800-956-4442 . Go to Account Services -> My Profile -> Managed Advanced Access and order the RSA token. Once you do tell them you want the charge waived.
After calling them and getting a call back from their IT department, they are aware of this and have no immediate fix planned.
11 comments
[ 2.9 ms ] story [ 39.7 ms ] threadThe importance of case sensitivity is dramatically overblown. An appropriately long password is still just as safe regardless of case sensitivity.
http://en.wikipedia.org/wiki/Password_strength#Random_passwo...
If you examine the length versus entropy chart you'll notice that you get identical results with only 2 more characters in your password for case insensitive.
http://xkcd.com/936/ also seems relevant.
This really seems like mountain out of a molehill, although I think everyone should get 2 factor authentication whenever it's an option. I don't see any correlation between someone choosing to use caps insensitive passwords and clear text password storage.
So: no case sensitivity => no hashes => reversible password storage => IT Security 101 Fail.
There's a difference between a user choosing a case-insensitive password, and the provider changing the user's password to something else. As you point out, the entropy added is not very significant; but it is very significant who makes this change in data - in a properly secured system, the provider should have no way of getting at the user's passwords ("we have a policy" doesn't cut it, this needs to be technically infeasible - which is what password hashing does).
Well, of course their backend systems are probably uber-secure and impenetrable, but there's no way to verify this, so you're depending on their honor - like people did with the various companies which had their databases hacked lately (Yahoo comes to mind - two weeks back?) and the passwords published out on the intertubes. And, to be honest, how much value is there in an average user's Diablo 3 account? And in an average user's bank account? I think this is the core difference.
Further reading - e.g. this: http://dustwell.com/how-to-handle-passwords-bcrypt.html ("I don't see why that's an issue" != "That is not an issue")
Just because they do pre-processing on a value passed over secure means (in this case .toLower() or toUpper() or equiv.) before inserting it into a database doesn't hint at all at what format is being chosen for storage.
It's a silly thing to do and might hint at stupidity, but it's not "IT Security 101 Fail" unless more information can be ascertained.
While we can't know without looking at their implementation, it's certainly possible and indeed fairly easy to build a forgiving system without having the password stored in a reversible format.
Also the value versus risk ratio for Diablo 3 accounts is probably better then trying bank accounts. The risk for attempting entry into a bank account is FAR higher then for a Diablo 3 account.
If you want to complain about something you should be complaining about websites that when you password recover e-mail you your old password. THAT is a sign of plain text password storage.