Westpac Passwords

That can be another problem. If one needs that lost RSA to get into one’s account or pass scrutiny on the phone one can be literally locked out. I have one account that the only way to unlock it if that happens is to appear at one of their offices with photo ID. That might be reasonable excepting their closest office is Honolulu; it never leaves the fire resistant safe unless it is live in use!

It is a brave new world :roll_eyes:

(I wish they would all use google authenticator, but let us not go down that rat hole. We pick our own poisons.)

2 Likes

Fair comment. I wonder how many people have already lost or had stolen or damaged their RSA token.

Even so, I think we are better off with 2FA than without it. Before 2FA we still had problems with people forgetting their passwords (and sometimes horribly insecure password-reset procedures).

If your 2FA is implemented on your phone instead of a token, people lose their phones, or have them stolen or damage them.

Nothing is perfect.

My understanding is that Google Authenticator is just implementing open algorithms, so there is no reason to use Google’s privacy-destroying implementation. Just use an open implementation. If you don’t need a GUI, it’s 20 lines of Python code, or something like that. :wink:

I’m wondering when browsers will come with a built-in implementation, preferably with autofill (Firefox already has the choice of a couple of add-ons) … and then we will come full circle to “one factor authentication”. :slight_smile:

2 Likes

We have had one RSA token fail, half the LCD screen stopped working. Called the bank. To enable access, they reset login to password with a temporary fixed code (replacing the rolling RSA code) which was used as an interim measure. They posted a new RSA the same day. Two days later the new token arrived and activated.

3 Likes

As someone familiar in cyber security
Complex passwords are over rated
Whether it is 1 million character or 6
It is equally able to be captured during a theft via phishing, man in middle capture, or from the Post it note on your desk.

Let’s assume the bank only let you use 6 digits only

For up to 999,999 valid combination of the password and the 3 try limit that your bank will block your account.

What matters is after 10 years a hacker may have tried all combination of 999999 up to 444,444.
If you have wisely changed your password regularly your password is probably today 222222 meaning they have already tried and assumed it doesn’t work.

What really works and really matters is
1 unique and ambiguous usernames for system.
2 change passwords at good intervals
3 multifactorial login features such as phone, text, email, second person, email

1 is important because trawling internet for email addresses and social media names is a great place to start when testing random sites for possibly accessed your account. Trying a million passwords is useless workout a valid user name

2 as per above, despite popular belief changing passwords is not just about when some company or you lose your password to a hacker capture as a whole.
But Is also about the brute force dictionary and incremental try of ever possible combinations.
You change it, the prospects or the intruder are diminished with a start from square one a huge waste time to their effort.

3 a password is still useless without the second independent ‘password’

2 Likes

For a web site that only allows 6 digits, OK.

Personally I prefer … a long, strong password that after 10,000,000 years the hacker is only a tiny fraction of the way through brute force - and to change the password very infrequently.

With sooooooo many web sites, I don’t consider changing all passwords frequently to be reasonable.

I use random, meaningless passwords. I use software to generate them.

Obviously … manage each password commensurately with the risk. So internet banking would be dealt with more stringently than the Choice web site. (No offence intended :slight_smile:)

Against the above point about “10,000,000 years”, there is Moore’s Law and eventually quantum computers.

Some people are already moving over to hashing and/or encryption algorithms that will be less amenable to attack by quantum computers (but the details are way beyond my ken).

(Also unique password for system i.e. no reuse across different web sites etc.)

Unique username is a bit tricky because you don’t always get the choice.

Many web sites only let you log in using a verified email address. (Sure, I operate my own domain and hence can have an infinite number of email addresses but not everyone will be in that position.)

Another tricky aspect is e.g. the myGov web site where by default you can login with your email address as an alternative to the unique, meaningless username that they assign you.

:open_mouth:

Various telecommunication companies seem to have the same flaw i.e. let you log in with your account number (which a random would-be intruder won’t know) but alternatively let you log in with your phone number (which is likely to be easier for the intruder to come by e.g. could be publicly available).

2 Likes

The latest cybersecurity advice is not to change it regularly but to have a long complex one saved in password managers.

1 Like

I am puzzled by all these posters giving their opinion on various lengths and complexity of passwords used for logins when I would think most are quite used to doing financial transactions using tap and go cards (no knowledge of userid or password required) or typically a four digit PIN if over a limit or using ATMs.

For some there is far more at risk in enabling direct access to your bank account than just the cash balance. There is a wealth of personal information and financial(credit) info that can be put to many other uses.

Even if in my instance the greatest cash risk is that any unauthorised access will soon realise there is little cash to be found. Perhaps they might take pity and pay some of the larger debts in return. :joy:

It also if briefly might open a pathway for misuse to serve another purpose. I’ve noticed some providers/services do not display personal details they hold in full hashing out the larger portion of each stored entry. I hope that if it ever comes to that I offer too little to be worth the trouble in the first place.

1 Like

Plus the more fundamental issue that internet banking may get access to accounts that can’t be accessed at all via a card.

2 Likes

There are several answers that one could contemplate:

  • No matter how insecure one mechanism is, that isn’t an excuse to accept insecurity in another mechanism.
  • There are of course several known attacks against cards but, again, that isn’t a reason not to think about how we should make internet banking secure.
  • A person could choose to use internet banking and not use things like tap-and-go or ATMs.

I believe that tap-and-go has become acceptable because cloning a chip card is much more difficult than cloning a magnetic stripe card. So effectively tap-and-go is considered to be one-factor-authentication (something you have) and can’t readily be misused by someone who is not in possession of the card. Of course, cards get stolen all the time and hence there have to be limits and there have to be procedures to limit losses.

A chip card with a PIN then is two-factor-authentication - and the question becomes: why is a 4 digit PIN acceptable when it is so obviously weak as a password? I would give two answers to that:

  • Cards tend to be used in environments where someone isn’t going to be able to try all 10,000 PINs.
  • When you use a card in an ATM, the ATM will swallow the card after 3 incorrect PINs. So there is hard enforcement on the number of attempts allowed.

You can have a PIN that is longer than 4 digits. However I don’t recommend doing that if going overseas because not all foreign equipment will necessarily work if you have a longer PIN.

3 Likes

18 posts were split to a new topic: Password ‘Science’

There was a discussion in the topic about passwords that might be worthy of a primer, but not directly related to the banking issue that began this topic. I carved out most of that discussion into a new topic at Password ‘Science’.

Please continue explicit banking issues here, and ‘all about passwords’ there.

3 Likes

A post was merged into an existing topic: Password ‘Science’

A couple of years ago I questioned Westpac about their rather short and seemingly insecure password rule.
Their response to me was that they are happy and confident that their 6 digit password is safe and secure.
I don’t understand how their system works, but when I log into my westpac account using my password manager, after it has logged in, the password manager asks me if I want to save the
“new password”.
From this I assume some kind of keystroke encoding is taking place.
BB

1 Like

My NAB banking login causes the same effect. The browser asks if I want to save the password. If I click yes, what is saved is not the password, just blank. So I always click no.
Not sure what is going on behind the login exchange, but it seems that my bank is helping me avoid doing a silly thing.
That is store my password in the browser. Or for that matter a password manager.
The password has to be manually entered each time.
So I know I have to remember what it is, rather than let a password manager do it for me.

2 Likes

I tested this out yesterday with my Westpac login using my password manager.
After logging in, the password manager asked me if I want to save the new password, so I said YES, and then I checked what it had saved as the new password - not blank but a completely different 6 digit code. I had to change it back to the original code so the password manager login would work again next time.

Maybe somebody knows what’s going on here?
BB

1 Like

Could be a bug in the password manager where it is having difficulty reading the user id and password…when logging in it thinks it is different to that stored as a result causing the request to save to pop up.

Westpac have changed their login coding which confuses the password manager.

Also check the URL in the password manager is exactly the same as the Westpac login page. We find our own password manager makes a save request when it is slightly different, such as

mybank.com.au/login.html
mybank.com.au/en/login.html

It appears to be set to recognise slight changes in website folder which triggers the request.

Does the user id and password automatically populate/autofill the login page or do you cut and paste these in manually? If you paste manual, either the Westpac login page is coded to prevent autofill or the password manager can’t autofill for some reason. This might indicate a conflict of some sort, a bug or Westpac trying to prevent bot password breakers/crackers.

Is the browser password manager turned off? It could also be conflict between the browser password manager/storer and you own third party password manager.

1 Like

I don’t use the browser password manager as I don’t trust it.
Neither do I cut and paste from my password manager.
I open the password manager and tell it to go to westpac, then it opens the login page and enters my customer number and password and logs in successfully.

Then my password manager asks me if I want to update the password, and I say NO!!

I will check the URL stored in my password manager against the URL for westpac login and see if there be a difference.

Thanx
BB

3 Likes

Something I didn’t think of earlier - if you also use two factor authentication, the password manager may be reading the two step authentication code entry as the password - identifies difference to that stored and then requests to change the password to match. This will be a password manager issue and if the case, let the password manager developer know so that they might be able to sort it out for future versions.

1 Like

Your bank does not want you to store your password and use autofill from a browser or other password manager. After all, your computer could be in a shared environment at home, or work.
There are many techniques used on the login server side to block or confuse password managers.
Some are given here: https://stackoverflow.com/questions/41217019/how-to-prevent-a-browser-from-storing-passwords

3 Likes