Westpac Passwords

Edit: New readers to the topic can join it as of June 2023 by clicking here.

I have contacted Westpac regarding their login passwords - 6 characters - letters & digits only - no special characters allowed.

Surely in this day and age more substantial passwords should be a priority for security.

Westpac advises that there are further security measures if unusual activity occurs. What about personal details that can be obtained once they are in an account.

The first stage of protecting our accounts and personal information is the login password. Westpac step up your game.

One of the unrecognised security features Westpac and a few others use is that one cannot pick their own login nor can we login using our email address. Thus despite the (unacceptable) password restrictions it becomes a double random event of finding a valid account number as well as its matching password to hack in.

This explanation of ‘bank security’ re passwords might assuage your worries, or maybe not?

That all written, I agree with you.

Unfortunately passwords aren’t overly secure anymore and are subject to phishing/hacking by criminals.

It is becoming more imperative to use two-factor verification/authentication to minimise the risks to both the bank and the consumer. Westpac has facilities, like other banks, to use two-factor authentication…

Every security specialist I have seen comment on important online transactions, have recommended two-factor authentication for use where available. Even Choice in the past has also made such recommendations…

For many years I used IBM Mainframe systems that limited the password to 7 alphanumeric characters, no special characters, and case ignored.
Why was this never considered a security exposure?
Because the system gave 3 attempts to enter the correct password, after which the access was blocked. The password was valid for 30 days after which you were forced to change it, and the new password had to be substantially different, and not be one that had been used in the past going back at least 2 years.

I know of no Internet sites that implement that sort of password rigor. Some Unix and Windows servers I have accessed came close.

Also, it doesn’t matter if your password is 6 characters or 600 characters if your password becomes known to a hacker, and it never changes, and is the only validation for login. 2 factor authentication is far more secure.

thanks for your response

thanks

Thanks

On the face of it, I agree with you. That is well short of best practice.

However there are many other factors to consider.

• What is the threat model? More discussion on that below.
• Password failure surveillance - as other posts have said, if the system disables the account as soon as 3 bad passwords are entered (or a similar number of failures) - and I know that my bank’s internet banking does this - then a random password compliant only with the above weak restrictions will be safe enough.
• Even if the account is not disabled, the system can takes steps to force the user to slow down.
• I think all banks are moving to two factor authentication - I know mine has. So even if the password is compromised, the account is not compromised. Having said that, if the password is too weak and hence is compromised, then two factor authentication goes back to being one factor authentication - and that is not good. So it is still important to keep the password secret.

So if you are contacting Westpac, the additional point you should be making is … when is Westpac introducing two factor authentication? (assuming that they have not already done so)

Coming back to the threat model … that question means: What precisely are you trying to defend against? Who is attacking you and how?

Compromise of the customer’s computer? Then, as other posts have said, it won’t matter if the password is length 6 or 60, or how complex it is.

Password guessing from outside the system? Yep, then the password length and complexity matters a little at least (a little if the account is disabled after 3 failures, a lot if no such surveillance occurs).

Compromise of the bank’s computer? Let’s say that the bank stores the password (salted and) hashed with 5000 rounds of SHAx. (NB: This is not considered best practice but it is better than nothing and is reasonable.) Yep, then the password length and complexity matters a lot!

I will tell Westpac for free that one hacker will break “6 characters, letters and digits only” in an embarrassingly short amount of time and without great expense. It is even possible to rent time on high performance GPUs that are on the internet in order to conduct a brute force attack without even having to invest in hardware. So it is essential that Westpac has adequate defences against both insiders and outsiders attacking their own computers.

The challenge for any system is to find a compromise for password difficulty. Make it too difficult and users (customers) will actively seek ways to game the system - and will also resort to writing the password down. Writing the password down may be quite safe against random internet hackers but is still against bank Ts and Cs and would be particularly bad if stored in conjunction with the associated card.

They already do, see point 6 in the Westpac link in the above post.

Using their two-factor authentication appears to be voluntary at this point in time. Introducing compulsorily for all online accounts would assume that all their customers have mobile phones which can receive the SMS…however, they also offer RSA tokens (SecurID®) as well which could be used by those without mobiles. Our own bank has gone away from RSA tokens to a SecurID® app through a smartphone - this then becomes an issue for those without smartphones.

…as well as introducing the topic about a lost or stolen smart phone that itself is not fully secure… whack a mole?

Hence I have chosen not to install any of the banking apps or use the smart phone to access financial services or save passwords and logins. It’s important to consider how you have notifications set up. By default my iPhone will display the first few lines of an incoming SMS. This may reveal the 2FA code without any need to hack the device.

Which ever option 2FA by SMS or an RSA device they take some of the fear factor out of online banking. I prefer the second given somewhat unreliable mobile reception at times.

P.S.
And yes, tokens too can be misplaced, lost or stolen.

I use an RSA token. Works well. Is simple. Foolproof. And more secure than a smartphone.

… is considered insufficiently secure these days. Better is 2FA via open authentication app (so that you don’t have to run some bank’s crappy, insecure, privacy destroying code on your phone).

That’s true but you would be hard-pressed to associate a token that you found on the floor in the pub with the account for which it is used (unless you can hack the bank).

That can be another problem. If one needs that lost RSA to get into one’s account or pass scrutiny on the phone one can be literally locked out. I have one account that the only way to unlock it if that happens is to appear at one of their offices with photo ID. That might be reasonable excepting their closest office is Honolulu; it never leaves the fire resistant safe unless it is live in use!

It is a brave new world

(I wish they would all use google authenticator, but let us not go down that rat hole. We pick our own poisons.)

Fair comment. I wonder how many people have already lost or had stolen or damaged their RSA token.

Even so, I think we are better off with 2FA than without it. Before 2FA we still had problems with people forgetting their passwords (and sometimes horribly insecure password-reset procedures).

If your 2FA is implemented on your phone instead of a token, people lose their phones, or have them stolen or damage them.

Nothing is perfect.

My understanding is that Google Authenticator is just implementing open algorithms, so there is no reason to use Google’s privacy-destroying implementation. Just use an open implementation. If you don’t need a GUI, it’s 20 lines of Python code, or something like that.

I’m wondering when browsers will come with a built-in implementation, preferably with autofill (Firefox already has the choice of a couple of add-ons) … and then we will come full circle to “one factor authentication”.

We have had one RSA token fail, half the LCD screen stopped working. Called the bank. To enable access, they reset login to password with a temporary fixed code (replacing the rolling RSA code) which was used as an interim measure. They posted a new RSA the same day. Two days later the new token arrived and activated.

As someone familiar in cyber security
Complex passwords are over rated
Whether it is 1 million character or 6
It is equally able to be captured during a theft via phishing, man in middle capture, or from the Post it note on your desk.

Let’s assume the bank only let you use 6 digits only

For up to 999,999 valid combination of the password and the 3 try limit that your bank will block your account.

What matters is after 10 years a hacker may have tried all combination of 999999 up to 444,444.
If you have wisely changed your password regularly your password is probably today 222222 meaning they have already tried and assumed it doesn’t work.

What really works and really matters is
1 unique and ambiguous usernames for system.
2 change passwords at good intervals
3 multifactorial login features such as phone, text, email, second person, email

1 is important because trawling internet for email addresses and social media names is a great place to start when testing random sites for possibly accessed your account. Trying a million passwords is useless workout a valid user name

2 as per above, despite popular belief changing passwords is not just about when some company or you lose your password to a hacker capture as a whole.
But Is also about the brute force dictionary and incremental try of ever possible combinations.
You change it, the prospects or the intruder are diminished with a start from square one a huge waste time to their effort.

3 a password is still useless without the second independent ‘password’

For a web site that only allows 6 digits, OK.

Personally I prefer … a long, strong password that after 10,000,000 years the hacker is only a tiny fraction of the way through brute force - and to change the password very infrequently.

With sooooooo many web sites, I don’t consider changing all passwords frequently to be reasonable.

I use random, meaningless passwords. I use software to generate them.

Obviously … manage each password commensurately with the risk. So internet banking would be dealt with more stringently than the Choice web site. (No offence intended )

Against the above point about “10,000,000 years”, there is Moore’s Law and eventually quantum computers.

Some people are already moving over to hashing and/or encryption algorithms that will be less amenable to attack by quantum computers (but the details are way beyond my ken).

(Also unique password for system i.e. no reuse across different web sites etc.)

Unique username is a bit tricky because you don’t always get the choice.

Many web sites only let you log in using a verified email address. (Sure, I operate my own domain and hence can have an infinite number of email addresses but not everyone will be in that position.)

Another tricky aspect is e.g. the myGov web site where by default you can login with your email address as an alternative to the unique, meaningless username that they assign you.

Various telecommunication companies seem to have the same flaw i.e. let you log in with your account number (which a random would-be intruder won’t know) but alternatively let you log in with your phone number (which is likely to be easier for the intruder to come by e.g. could be publicly available).

The latest cybersecurity advice is not to change it regularly but to have a long complex one saved in password managers.

I am puzzled by all these posters giving their opinion on various lengths and complexity of passwords used for logins when I would think most are quite used to doing financial transactions using tap and go cards (no knowledge of userid or password required) or typically a four digit PIN if over a limit or using ATMs.

For some there is far more at risk in enabling direct access to your bank account than just the cash balance. There is a wealth of personal information and financial(credit) info that can be put to many other uses.

Even if in my instance the greatest cash risk is that any unauthorised access will soon realise there is little cash to be found. Perhaps they might take pity and pay some of the larger debts in return.

It also if briefly might open a pathway for misuse to serve another purpose. I’ve noticed some providers/services do not display personal details they hold in full hashing out the larger portion of each stored entry. I hope that if it ever comes to that I offer too little to be worth the trouble in the first place.