2

I'm no expert. Could someone please tell me if I'm overreacting?

After the Heartbleed news broke, I changed a lot of passwords. Here's what I discovered when changing the password on my all-in-one bank/brokerage online account.

Password requirements: - Include 6-8 characters and numbers
- Include at least one number between the first and last characters
- Contain no symbols (!,%,# etc.)
- Cannot match or be a subset of your Login ID

Yes, that's 8 characters maximum. The best my random password generator was able to do is generate a password which takes about 16 hours to crack.

But, I figured, if they salt passwords then it doesn't matter. Here's their response to my question.

I consulted with our Technical Services division and found that, while our passwords are not salted before storage, they are on a secure, encrypted channel.

This is not a mom'n'pop operation, this is an old, large outfit with a lot of industry cred. (Which doesn't mean a lot with regard to technical competence, I know.) They provide security tokens on request, but why go to that trouble before something basic as salting passwords?

Before I write back and tell them I no longer consider my assets safe with them, am I missing something or just overreacting? Thanks for any light shed.

wilee
  • 161
  • 6
  • Unfortunately banks are notoriously bad for having TERRIBLE password policies. Mostly because some of their processes relies on ancient software that can only handle 8 character passwords, can't handle special characters, and doesn't salt or even encrypt the passwords. You could try voting with your money and switching banks...but good luck finding one that doesn't have the same horrible issues. – Grant Apr 24 '14 at 17:38
  • I think you might misunderstand how salting works. It should have absolutely no affect on you as a user. Also, a 16 hour attack would be on a salted hash, as an unsalted hash would be near 0 time to crack (rainbow tables). The password requirements are much more worrisome to me then whether or not they salt their passwords. – David Houde Apr 24 '14 at 18:21
  • I say that because in all probability, the passwords are encrypted and not hashed. It is also going to be difficult to obtain the password database. The more realistic threat would be an online brute force attack, where low password entropy can become a problem if server side throttling/locking isn't used. Salting would make no difference in an online attack. – David Houde Apr 24 '14 at 18:49

2 Answers2

2

"Salting" makes sense only as part of password hashing. From the response you got ("passwords [...] are on a secure, encrypted channel"), one may infer that:

  • Passwords are not hashed at all. The bank is able to recover your password at any time.
  • Some sort of encryption is applied, either for the storage itself (with an unspecified key) or for the transfer from one machine to another within the bank system (probably SSL). Or maybe both.
  • Whoever answered you does not consider that you can understand technology, or does not understand technology himself, or both.

As for the limitation on password length, it is indeed a problem and a very poor practice, since it prevents you from using passwords with high entropy and yet easy to remember (see this question). There may be technical reasons for that (compatibility with a legacy system -- and there are a lot of legacy systems in banks), but it is equally plausible that the limitation comes from a poorly understood Tradition (see this question).


Now let's take the point of view of the bank. What is the use of your password ? Is it to protect the your assets ? No ! The password is there to protect the bank. Not you. Your password is not for you; it is for them.

The bank, as a whole, wants to make money. Successful attacks make them lose money, because:

  1. they have to refund the user;
  2. they must deal with the loss of reputation.

Passwords can be used to reduce these losses, in several ways:

  • If the break-in is through guessing the password of a user, then the bank can claim that it is not their fault, but the fault of the user who chose a weak password. This limits the damage to reputation.
  • Similarly, if they can point the user for being at fault, they may get away with not refunding him.

If the password is strong, then the probability of a breach is lowered. However (and that is an important point), long and complex passwords increase the probability of the user forgetting his password. Such an occurrence implies a phone call to the helpdesk, hence a loss of money. There is a potential for a trade-off here.

What must be remembered is that the bank tries to maximize its own profits and thus uses criteria which do not necessarily match your own assessment of the situation. They may oppose really strong user passwords if such passwords imply higher cost on their part, be it on compatibility layers with legacy systems or increased helpdesk usage. Their best interest does not necessarily match your best interest.

Moreover, password security is poorly implemented in general, because it is not well understood, as is demonstrated by the abundance of myths floating around (e.g. the myth which says that including punctuation signs improves security). That the bank is old does not mean that it is good at handling recent technology.

In any case, most cases of bank account theft are not due to a password too easy to guess, but to a password which was stolen with a key logger. Chances are that the effect of the "password rules" does not even show up statistically, so the bank has no real way to measure how efficient or inefficient that specific security policy is.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • Thanks for your answer. The bank does have a policy of refunding losses due to unauthorized access, but I'd rather not lose money and try to get it back from the bank in the first place. – wilee Apr 24 '14 at 17:47
0

I understand the Cannot match or be a subset of your Login ID requirement but... maximum 8 chars and no symbols? All that is doing is basically limiting how secure your password can be and offers nothing. Heck if they hash the passwords why limit what/how many characters you can be in them?

Also the fact that the passwords are not salted is also worrying since if they dont salt them who guarantees that they even store them hashed at all and not in plain text right there in their database leaving every employee that has access to it able to read your passwords.

Before I write back and tell them I no longer consider my assets safe with them, am I missing something or just overreacting?

You are not overreacting at all. I wouldn't even think about using a bank that has security measure similar to this, remember this is not any account it's most of your money.

user36976
  • 3,233
  • 4
  • 15
  • 22
  • Unfortunately I think another bank I use does the same thing! I called and asked whether they have any plans to implement salting or allow more complex passwords. – wilee Apr 24 '14 at 18:12