Skip to content

9 Comments

I’m wondering if another variation still occurs: taking only the first N characters of your input. You type in a 20 char password and then they only compare with the first 8,10 or 12 characters. Too bad they did not test that at the same time. Ande it’s good that they mention the actual banks – the time is long past where we should still have tolerance for these issues.

I’ve been trying for years to get my bank to accept more complex passwords (more characters, special characters) but my pleads fall on deaf ears. Two factor authentication??? They can’t even relate to it. It is time for me to change banks.

For FIs that outsource their online banking, this is becoming a huge vendor management issue. The inability to create complexity requirements increases transaction and reputation risk.

Not precisely on topic but sometime back I noticed that if I typed in any character – ANY character – in the Username field of two banks at which I had accounts, a list of alphanumeric strings would be presented. If I typed in the 1st character of my username, my username was in the field along with other strings that were, presumably, other valid Usernames. Until that date, it had not been that way, i.e., no list of any kind presented, as it seems it should be, and I attributed the glitch to recent website maintenance.

I notified both banks of this “change, pointing out that a would-be thief would only have to crack the Password instead of both Username and Password.

One bank (the small, local one) fixed the glitch immediately. The other much larger, country-wide one, took much longer to get around to it.

Dave wrote “Not precisely on topic but sometime back I noticed that if I typed in any character – ANY character – in the Username field of two banks at which I had accounts, a list of alphanumeric strings would be presented. If I typed in the 1st character of my username, my username was in the field along with other strings that were, presumably, other valid Usernames.”

Dave, that’s function in your browser, not the website. You can turn it off if you like. Or else secure your computer just as you would your phone.

Hmmm ,,, If that were the case, it’s interesting that without my doing anything to my browser or PC the lists of apparent usernames stopped being presented (below the Username field, not in it) after I notified the banks. I’m not saying you’re wrong but how would my browser/PC “know” other account holders’ Usernames?

The big bank I go through has this issue: capitalization doesn’t matter, no special characters allowed, and you’re limited to no more than 12 characters in a password. Mentioned this to their support personnel, they are aware of this and embrace it because they offer “…you will be covered for 100% of funds removed from your accounts in the unlikely event that someone you haven’t authorized removes those funds through our Online Services.”

I hate this.

Even worse is the password policy of a major Canadian bank, where they allow you to use both letters and numbers, but then convert all the letters to the corresponding number on the telephone keypad.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?