I have been methodically working through the many passwords we now have for access to all our accounts etc, about 50 altogether, I am using a password vault and generator, which is fine for most but every now and again there is a company or a site which has an archaic password policy which disallows complex passwords. But Westpac is today’s favorite, in that it only allows for a 6 character password and then with only alpha numeric characters allowed. This is nonsensical in today’s internet world of phishing, scam and identity fraud.
Does it matter as most accounts have 2FA today. If they don’t they are all moving that way to 2FA.
All the accounts I have use 2FA. Makes life so easy. PayPal lead the way for ease of interface, ease of use and grease lightning speed.
With banking Apps on phone and tablet is even easier with only a 4 or 6 digit numerical passcode and no 2FA. On phone with finger print access some have additional finger print authorisation.
Westpac online has taken the position that their passwords are sufficient because the login ID is neither selected by the customer nor related to the customer’s email address.
Whether one agrees with that or not, that was their reply to me a few years ago. I looked then and again and confirmed ‘today’ is the 21st century.
It gets worse – if one enables fingerprint app login on a phone, anyone with their fingerprint registered on the device can run the Westpac app as I understand it. Enrolment in ’ Westpac Protect™ SMS Code’ (2FA) is optional. If multiple people have registered fingerprints they can all get the ‘SMS Protect’ code since they have access to ‘the phone’.
OTOH my account hasn’t been compromised (yet).
It matters little if the password is a convoluted sequence of alphanumerics and special characters, or a simple four digit pin as on your card to use EFTPOS or ATMs.
If the access system limits tries of a password to say no more than five attempts before lockout, then the compexity of said password is detrimental. Much easier to remember a simple password.
Anyway, fixed passwords are old and on the way out. Replaced by multifactor authentication methods like one-time passwords.
Our banks are 3 attempts.
The customer number which serves as your login ID is as @PhilT pointed out is also unique. Our bank advises it too needs to be kept secure. Westpac are not the only FI that permit relatively simple or short PW.
BWIW ComBank (Commonwealth Bank) 1990 vintage Telebank service used dial up and one-time passcodes to secure every single transaction. Nothing new except the delivery methods for todays banking has moved on from using Australia Post.
The crux of the Westpac issue is they only accept short simple passwords with basic alphanumerics.
From the security point of view of a login server, a short easy to remember password becomes just as secure once salted and hashed as some password manager generated thing that the user has no idea of and would never remember.
From a banking support point of view, users forgetting passwords and needing a reset is a pain. The easier the password or pin to remember, the better.
I have a password manager and also use Chrome and Edge to store non-financial passwords as I have many and growing at the rate of one or two per week.
For Internet Banking I rememeber the passwords and never allow a “system” to store them. I don’t worry about how short Westpac’s is and it has been that way for a very long time.
My only exposure is if a keylogger has been installed on one of my computers and I would hope my IT security disciplines stop that from happening. But if one has somehow been installed, it wouldn’t matter if my password was one character or one thousand … the keylogger would record it.
The message I tell my friends that like to reuse passwords is to make sure you have a unique and strong password when money is involved.
My goal for 2023 is make sure all my passwords are strong and unique and for the financial ones, I change regularly, eg. every 3 months.
Of course if you make the change to multifactor authentication, then your effective password changes every time you access, not every three months.
Out of curiosity, does your password generator have the functionality to tailor the generated password to the requirements of the web site (in this case to dumb down the set of valid characters)?
As others have said,
- limiting the number of unsuccessful password attempts, and
together mean that the reason to use a long complex password is not as significant. I still do though for internet banking.
For the record, there is a somewhat valid security reason to dumb down the password - and this applies to any user-specified input. The reason is that allowing “weird” characters (such as punctuation characters or, dare I say it, non-ASCII Unicode characters) may expose bugs in the system - since “weird” characters may requiring encoding and/or escaping in order to move around a computer application safely, particularly a distributed application.
A second, sometimes applicable, reason is interoperability. That hopefully wouldn’t apply to a password (!) but if user-specified input is shared with a third party then it might have to be limited to the lowest common denominator.
Thanks for all the responses. They are interesting to read. As an 80yo who has pretty-well kept up with using what is offered by the internet, I am happy and enjoy the experience of dealing with my on line life. It is a far cry from lining up at the police station to pay a driving license or car registration in my lunch hour in 1960. But give a thought to my friends who struggle with poor memory and passwords as you offer solutions which they cannot understand and they remain at risk by using passwords they can remember. I use Norton password generator and vault to manage passwords, I do use multi factor authentication for most things, but because I travel overseas am reluctant to have them on accounts I would need where I don’t have ready access to SMS.
A very good point you make about mobile phone based security passwords. You are dependent on a phone network to deliver a 2FA password via SMS msg.
Doing 2FA via TOTP is better in that regard. It requires no telecommunications connectivity of any kind (for the second factor). So you can do it using a standard app on a phone that has no SIM and no WiFi (if needs be!). Hence why you can do it on a security token that doesn’t even have the possibility of connecting to anything.
And you end up with either a whole lot of physical token devices you have to remember to carry around wherever you go, or a whole lot of apps on your smart phone, and have to remember which one is which for what you are logging on to.
Lose a token device, or your phone, and you are stuffed.
A cloud based password facility, if secure, is independent of any physical devices.
Just one password to remember.
Nah. One TOTP/HOTP app can do all web sites etc. that use those standards for second factor authentication.
You can backup the data used by the authentication app, and hence restore it onto another phone, which is fine, but you do have to protect the backup as strongly as you protect the phone itself.
But then the post here was talking about receiving SMSs for second factor authentication, and the problems that that causes - and if you lose your phone then you will struggle to receive SMSs too.
In Australia using SMS for 2FA also sucks because some people have no mobile signal at home and can’t receive SMSs at all. Hence: login with password, you have 10(?) minutes to … drive up the nearest hill, get signal, receive the SMS, drive back home, enter the code. The situation is not as bad now that more MVNOs are supporting mobile services over WiFi.
I am not aware of any web sites etc. offering that for 2FA. I can imagine that a bank would not be happy if the security of your account depended on an unknown third party with untested security practices and who is potentially overseas and beyond legal reach.
Unfortunately, the problem of time drift in generating TOTP passwords has yet to be addressed. There is no standard to say how login hosts handle incorrect password attempts. RFC6238 doesn’t specify how.
So I would not expect a one TOTP app on my phone for all 2FA logins to be anything but a problem.
As for a password manager, that is not 2FA of course. It is a method of storing and using passwords.
One can get a one time password delivered by Internet email. Not ideal, but an option when the cell network is not there. And as long as the email server delivers your message before the OTP expires.
I’ll let you know when I actually encounter it as a problem. There’s no doubt that that is a theoretical challenge, and likewise (similar but different) with HOTP. If using a mobile phone with infrequent access to any kind of network, time drift is unlikely to be a problem. If using a mobile phone that never has access to any kind of network then time drift could be a problem (unless the host notices when the phone has drifted out by a full 30 seconds and then stores a need to compensate for that).
I prefer it to SMS as it’s less intrusive. I am using that with at least one web site and it does work (even to the extent of managing to get the email message through in time but that is easier for me as I have my own domain and my own mail server i.e. my end is completely under my control). You would assume that on the host side they would have to allow such messages to jump the queue, or anything equivalent to that.
PS SMS is of course itself store-and-forward, which means just occasionally it too is gummed up and messages are delayed by hours and two factor authentication will fail.
Then there’s anti-spam to contend with - which will be an increasing problem getting security codes through via SMS this year (while of course being a massive problem already with email).
I have been banking with Regional Australia Bank and they have now moved to a new system that does not allow access with a VPN, as well as blocking password managers such as NordPass. Their Android app keeps forgetting my password and the only workaround I have been told to use is the Web app.
I use 2 other banks and they both have a better system for mobile access. If I don’t get a reasonable answer from my local manager I will be using another bank.
Many accounts which require secure logins such as banks and other financial institutions are starting to block VPNs. We have one financial account which has done such and the reason given was to increase security. I believe that this particular institution records IPs as part of the login authentication process and where different (suspicious) IPs occur, they are flagged and potentially blocked. I suppose it is a bit like using a credit card overseas (without telling the issuer), where such transactions are flagged as suspicious and result in transactions being blocked.
If blocking VPNs increases security or increased detection of unauthorised account access, it may be a good thing if it prevents some falling to criminals stealing money from their accounts.
While this is about US banking, it would also apply here and provides further information:
In relation to password managers, it may be a password manager issue not being able to automatically autofill credentials. Our own password manager has has issues with some sites in the past but tends to get sorted with updates.