Fidelity's phone system lets you authenticate by typing your password on the phone keypad. On the plus side, this is probably the only time I've understood the technical reason behind a limited password alphabet.
In my experience, most UK banks do the same thing. Their excuse is that it prevents keylogger attacks. I do not know enough to say whether it's an acceptable trade-off or not.
Seeing as I've been the victim of a half dozen or so password leaks, one credit card clone, and not a single keylogger attack, I'd probably err on the side of secure password storage, but that's just me.
Meanwhile, users actually type full password into the username field so they find the required characters by index, then delete it before submitting the form.
I remember awhile back I created a CapitalOne account and I put in a long password which it excepted, when I tried to login it wouldn't work, so I reset my password very carefully typing it. The password reset was successful, I tried to login and nope, didn't work. Third time reset I realised they have a max password length and were truncating my password as my original password was past their max length but would except, truncate without telling me and store it. This was the CapitalOne in the US.
Honestly don't all of the US banking and credit card companies do this sort of 'security theater'? While this seems pretty absurd, I'm not aware of any that don't have mediocore to poor password practices.
24 comments
[ 3.2 ms ] story [ 57.0 ms ] threadThat is worse than a hash of SSNs.