24 comments

[ 3.2 ms ] story [ 57.0 ms ] thread
Ouch! This means that they are storing your original password in plaintext somewhere, and that is definitely NOT best practices!
Maybe it's only a hashed version of the characters? :P
They may be storing the three characters as a hash separately, not that that is much better.
So I just need a pre-hashed table of all 80 possible single chars for a lookup table?

That is worse than a hash of SSNs.

You check 3 characters, not 1, but like I said, 80^3 still isn't good.
Fidelity's phone system lets you authenticate by typing your password on the phone keypad. On the plus side, this is probably the only time I've understood the technical reason behind a limited password alphabet.
Why would anyone think this was a good idea?
In my experience, most UK banks do the same thing. Their excuse is that it prevents keylogger attacks. I do not know enough to say whether it's an acceptable trade-off or not.
Seeing as I've been the victim of a half dozen or so password leaks, one credit card clone, and not a single keylogger attack, I'd probably err on the side of secure password storage, but that's just me.
Meanwhile, users actually type full password into the username field so they find the required characters by index, then delete it before submitting the form.
I think it's important to call attention to these issues, but can we change the sarcastic title?
I see no reason to? This is a UK bank, not observing security, UK levels of sarcasm are entirely in order.
Is there another step after this one? Or does this get you in?
HSBC has this: single-letters from your "secret word", in addition to an actual full passphrase.
That is going to make lastpass hard to use for the site.
It also appends some garbage to the username, validates it and then proceeds with the random char grab....weird

  var results = document.cookie.match ( '(^|;) ?' +    "Username" + '=([^;]*)(;|$)' );
Some sort of bs client-side salt?
I remember awhile back I created a CapitalOne account and I put in a long password which it excepted, when I tried to login it wouldn't work, so I reset my password very carefully typing it. The password reset was successful, I tried to login and nope, didn't work. Third time reset I realised they have a max password length and were truncating my password as my original password was past their max length but would except, truncate without telling me and store it. This was the CapitalOne in the US.
I use 1password and run into this problem so frequently it makes me rage.
I usually use the DOM inspector to check for a maxlength, but really wish I didn't have to do that. >.<
Honestly don't all of the US banking and credit card companies do this sort of 'security theater'? While this seems pretty absurd, I'm not aware of any that don't have mediocore to poor password practices.
Simple.com is pretty awesome. I'm sure there are others as well, but yes -- they are in the minority. :/