• @[email protected]
    link
    fedilink
    598 months ago

    Because as per usual they don’t understand security. I have started choosing my bank based on software they have. If software looks competent, that’s my most significant influence.

    They think rooted device = insecure device, but at the same time PC is even less secure and yet all the business users use them and more to the point have passwords written on a sticky note glued to the screen. My old bank at one point “upgraded” their software system and then started asking me for weird characters in password and then asked for maximum length which was the final sin I allowed them to commit. Left them that week.

    • lemmyvore
      link
      fedilink
      English
      308 months ago

      My bank keeps their app up to date with all the latest anti-root stuff but allows passwords made of 5 digits. ¯\_(ツ)_/¯

        • @[email protected]
          link
          fedilink
          English
          108 months ago

          Unless they’ve changed it very recently, Wells Fargo’s passwords are case insensitive

          • @[email protected]
            link
            fedilink
            68 months ago

            Air Canada’s online account system required a 6 character password, which was secretly converted via T9 to 6 numbers on the back end, meaning “aaaaaa” and “bbbbbb” were effectively the same password, and this was only fixed in 2018

            • @[email protected]
              link
              fedilink
              28 months ago

              That sounds like someone who topped out with highschool level programming tried to implement a hash algorithm.

              • @[email protected]
                link
                fedilink
                47 months ago

                My personal theory is that it’s a remnant of an old system that was only accessible by phone (hence the 6 digit pin), and they simply grafted an online component on top of it

        • @[email protected]
          link
          fedilink
          58 months ago

          Any service that limits maximum length of the password means they are not hashing them. Which is a scary proposition, especially for such a huge service.

            • @[email protected]
              link
              fedilink
              28 months ago

              It’s possible that limit is either gone or vestige from a bygone age and they are hashing passwords properly now. Either way they do seem like they take security seriously.

    • @[email protected]
      link
      fedilink
      198 months ago

      You’re better off with random different passwords for each service written on a sticky note than using the same password/email combofor multiple accounts.

      • lemmyvore
        link
        fedilink
        English
        88 months ago

        I mean, you’re comparing very different scenarios.

        If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.

        If someone has access to your sticky note they have all your accounts.

        I don’t think I’d call either of them better.

        Of course, all this assumes no second auth factor.

        • @[email protected]
          link
          fedilink
          48 months ago

          If someone has access to your sticky note they’re already in your house, and that’s a bigger issue IMO… even from an itsec perspective, once the attacker has physical access to guarantee safety is difficult.

          But seriously, there’s a guy in your house.

          • lemmyvore
            link
            fedilink
            English
            3
            edit-2
            8 months ago

            But seriously, there’s a guy in your house.

            My house is not a prison… yes, other people come over. There’s the occasional party, handymen doing work, neighbors, parents of kids from school, kids sleeping over, and so on. It doesn’t have to be the ninjas breaking in.

            If you don’t casually keep wads of cash in the open around the house you probably shouldn’t have logins on a post-it either. But to be fair the kind of person that does the latter does the former too.

            • @[email protected]
              link
              fedilink
              18 months ago

              If I know they are there then I either supervise visitors or trust them to not rummage/take my stuff. If that is your issue then keep your postit in a drawer; most people don’t keep their yubikeys in a securely bolted safe either.

        • @[email protected]
          link
          fedilink
          17 months ago

          Just shift the password descriptions a few spots compared to the passwords, then you’ll get email about failed logins as a canary.