My bank forces me to use 6 digits as a password for online services

5 points by jfoucher ↗ HN
I just told labanquepostale.fr about this issue via their internal messaging system, and they justify it by saying that I also have to input a 10 character identifier, and that their "virtual keyboard" changes the arrangement of the digits at each logon.

How can this be secure? If it's not, what would be good arguments to get them to think about changing it?

8 comments

[ 2.0 ms ] story [ 29.8 ms ] thread
IME they just ignore the public
Well, it might be secure from their point of view but from user's (yours) definitely too anoying. I'm sure that it's not easy to update/migrate to new security system but some solutions are just crying to be updated.

Btw, I found this tweet that describes bank's security measures :)- https://twitter.com/webchaeschtli/status/462584313209696258

It depends on how quickly they lock your account if the wrong password is entered.

If they lock it after three goes, how is a 6 digit password less secure than a 100 character password?

Massively higher odds of a random guess hitting it lucky, of course. If usernames are easy to predict or come by then someone could find a way to bang on a large set of accounts.
6 digits are less secure than 100 characters because when asked to generate a 6 digit password, many many people will pick their birthdate, wedding anniversary, or childrens' birthdate.

With an alphanumeric password, many people will still pick a variation of "password12345" or "letmein!!", but at least then their banking password is not literally posted on their public Facebook page. :)

They often do stuff like this so it is easier to verify a customer via a phone system (e.g. "enter your pin now!").

But, yes, it is bad practice and lazy. They could trivially have a "phone pin" or just verify security questions over the phone like almost every other bank on the planet.

As nodata quite correctly pointed out, it could be made secure by locking out your account after a very short number of tries (e.g. 5). Then requiring telephone or email verification to re-enable it. That would stop brute force, dictionary, and distributed versions of the same from effectively working no matter how small the password space is.

In my experience companies who enforce things like a 6 character password are not the kind of who will sit there and calculate out the attempts/minute and "time to break (TTB)."

Plus the thing they said about their virtual keyboard shows utter ignorance and incompetence. Professional keyloggers don't literally log your keys! They hook into the network stack or browser and literally grab completed POST HTTP/s requests, so a virtual keyboard adds nothing at all security wise (and arguably makes it easier for someone to shoulder surf you, even if that threat is highly overblown and rarely exists).

So, yeah... Good luck convincing them. Whoever works there and making security decisions clearly is incompetent and it will likely take internal rather than external pressure for that to change.

It makes it more secure, but not fully. If the password hashes ever got dumped via other means, the effort required to brute force those hashes (even salted) would still be far less than you want it to be.
My bank also has this system, and your account is blocked after 20 wrong entries ever. Then you have to call and they send you the new codes at home.