The HSBC UK online banking website has a strangely convoluted login system that I haven't seen anywhere else before, and which I'm concerned is ineffectual and compromises security. It works like this:
- I enter my username, then forwarded to a new page for the next steps.
- I am asked a "memorable question", and enter my "memorable answer" in full.
- I am asked for three characters from specific positions in my password. As far as I can tell, they are always the same three positions.
I am used to Australian banks just asking me for my username and password, potentially with an SMS authentication step.
Here's a screenshot of the page in which steps 2 and 3 are carried out:
Is there any advantage at all to doing this, or is this poor security compared to just asking for my password in full? I am concerned that not only is this needlessly complex, it is actually worse security than just asking for my password outright, because a potentially quite long and complex password is effectively reduced to a 3-character password.
As far as I'm concerned right now, my "memorable answer" has taken on the traditional password role, and my "password" is just an extra three characters I have for some reason.
