My bank forces me to use 6 digits as a password for online services
I just told labanquepostale.fr about this issue via their internal messaging system, and they justify it by saying that I also have to input a 10 character identifier, and that their "virtual keyboard" changes the arrangement of the digits at each logon.
How can this be secure? If it's not, what would be good arguments to get them to think about changing it?
8 comments
[ 2.0 ms ] story [ 29.8 ms ] threadBtw, I found this tweet that describes bank's security measures :)- https://twitter.com/webchaeschtli/status/462584313209696258
If they lock it after three goes, how is a 6 digit password less secure than a 100 character password?
With an alphanumeric password, many people will still pick a variation of "password12345" or "letmein!!", but at least then their banking password is not literally posted on their public Facebook page. :)
But, yes, it is bad practice and lazy. They could trivially have a "phone pin" or just verify security questions over the phone like almost every other bank on the planet.
As nodata quite correctly pointed out, it could be made secure by locking out your account after a very short number of tries (e.g. 5). Then requiring telephone or email verification to re-enable it. That would stop brute force, dictionary, and distributed versions of the same from effectively working no matter how small the password space is.
In my experience companies who enforce things like a 6 character password are not the kind of who will sit there and calculate out the attempts/minute and "time to break (TTB)."
Plus the thing they said about their virtual keyboard shows utter ignorance and incompetence. Professional keyloggers don't literally log your keys! They hook into the network stack or browser and literally grab completed POST HTTP/s requests, so a virtual keyboard adds nothing at all security wise (and arguably makes it easier for someone to shoulder surf you, even if that threat is highly overblown and rarely exists).
So, yeah... Good luck convincing them. Whoever works there and making security decisions clearly is incompetent and it will likely take internal rather than external pressure for that to change.