Terrifyingly Weak Online Banking Password Requirements

• 

  FoxJump on 31/08/2021 - 12:56

  +3

  Yes. I too had suncorp and complained to them that their passwords are shit. I moved away from them to fix the issue.

  • 

    Le-Tentacle on 31/08/2021 - 13:00

    +1

    Stuff like this you don't realise until your already signed up :/ their entire internet banking section after you login looks like it hasn't been touched in over 15 years

    • 

      Settero on 31/08/2021 - 13:38

      +1

      these password requirements are generally by design, they force you to have different passwords to other sites. i have worked fraud for a different bank with similar flimsy looking password requirements , have never seen someone "guess" or brute force the password. heaps of other ways they get in , but never due to the password requirements.

    • 

      FoxJump on 31/08/2021 - 13:39

      Yep!
      fyi: read the reviews on the 2fa app of theirs. If you swap phones you may have a headache.
      Fortunately my suncorp was only a loan account with no amounts in the offset.

• 

  Platinumtelecom on 31/08/2021 - 13:00

  +6

  I like Up bank’s approach. No username or password. It only works on the phone associated to the account. If you loose the phone, then you need the recovery key.

  • 

    westzod on 01/09/2021 - 14:26

    The app itself is amazing tbh.

• 

  mickyb80 on 31/08/2021 - 13:08

  +2

  Online Banking? What is that?

  I wear a mask, and drive to the bank each day - daily exercise! :)

  • 

    mskeggs on 31/08/2021 - 15:06

    Sawn off shotty in my hand gives me an upper body workout, and a different branch each time so I don’t get bored. Very lucrative, although the staff are never pleased to see me.

    • 

      mickyb80 on 31/08/2021 - 20:06

      +1

      aaahhhh ahahhaha - when you do the runner on your way out… it's your 100mt sprint? :)

    • 

      moar bargains on 01/09/2021 - 09:57

      IKR! Two years ago, whenever I walked into a bank wearing a mask, they never looked very pleased and I always had awkward questions to answer. Now when I walk in without a mask they call the cops! Can't win!

• 

  Baysew on 31/08/2021 - 13:13

  +3

  While I have done everything I can to protect myself including 2fa, surly the majority would not have done this.

  I haven't and don't call me Shirley.

  • 

    Le-Tentacle on 31/08/2021 - 13:13

    +1

    left myself open to that one

  • 

    try2bhelpful on 31/08/2021 - 13:16

    +7

    Actually the word he was looking for was “surely” all he is doing at the moment is being bad tempered.

• 

  netjock on 31/08/2021 - 13:22

  LOL they make enough money to compensate all of you who use weak passwords.

  On a serious note. Change banks or disable internet banking. If you only have a home loan and account used for home loan it is best way.

• 

  jaffar on 31/08/2021 - 13:38

  +7

  Westpac is 6 characters and no special characters (just uppercase and numbers). Not sure why these super weak passwords are still a thing today especially for your bank when things like Hungry Jack's and KFC make you do 8+ characters with uppercase, number, and special character…

• 

  iDroid on 31/08/2021 - 13:43

  +7

  At a guess their back end database systems (and transports between) simply can't handle the special characters.

  Could still be using COBOL Alphanumeric/Group for storing your password.. shudders….

  • 

    bdl on 31/08/2021 - 14:46

    +2

    You got it in one, Westpac's backend is archaic.

• 

  CyberMurning on 31/08/2021 - 13:43

  -1

  hsbc also bad.

  oh well…. remind me that we live in australia… its the culture thing.. layback

• 

  bobbified on 31/08/2021 - 13:45

  +3

  It might be nearly 'terrifying' if they allowed unlimited attempts at guessing the password, but they always have a small limit on the number of unsuccessful attempts before locking the account (so it's almost impossible to get in just by guessing).

  There needs to be a balance between "ease of use" and security.

  • 

    Le-Tentacle on 31/08/2021 - 13:57

    True there is limited attempts online, but poor practices here they could be the same elsewhere, if somebody got access to the database with the hashed passwords, the attempts would be unlimited

• 

  Quantumcat on 31/08/2021 - 13:47

  +6

  The reason there is a max length is behind everything is an old 80s mainframe system, which probably can't cope with longer passwords

  • 

    kipps on 31/08/2021 - 18:43

    +2

    Banks in 2021 should be using one-way hashes for passwords. There’s literally no good explanation for these failures. They know better and should take security seriously.

    • 

      moar bargains on 01/09/2021 - 10:14

      There’s literally no good explanation for these failures.

      The explanation is $$$. People can argue if that's a good explanation or not, but it's the reality. As I mentioned below, it has been cheaper to put alternative security methods in place and maintain the legacy systems than to upgrade them, despite the security risk that they are. However things are now changing, partially driven by the RBA.

      It's not just banks either. This was the state of play for many government organisations as well. Centrelink was still delivering the majority of its payments via Mainframe systems until very recently (the last two years or so), and many of the Justice Departments (Police and Courts) around the country were the same - still using systems from the 80s or earlier.

• 

  rektrading on 31/08/2021 - 13:48

  +1

  Must be between 6 and 8 characters and can contain letters, numbers or both
  Will be case sensitive so check your caps lock

  This can accommodate 218,340,105,584,896 passwords combinations and can take up to 7Y to generate.

  You account is safe as long ass you don't use abcdefgh or 12345678 as a password.

  • 

    Switchblade88 on 31/08/2021 - 13:54

    +5

    7 years?? What are you using, an Arduino?

    Besides, rainbow tables are easily created and/or downloaded. I was brute forcing hashes of school accounts 15 years ago; make no assumptions your account is in fact safe

    • 

      rektrading on 31/08/2021 - 14:05

      Did you have access to the public key before you started the hack?

      • 

        Switchblade88 on 31/08/2021 - 14:21

        +3

        We just downloaded the password hash database directly from the server and worked at it during lunchtimes. As I recall passwords under 8 characters were hashed in a different manner on Win2k, so it was easy to see which longer passwords to avoid. Pentium III's could only work so fast.

        Turns out it's generally also as effective to phish someone or raid backpacks for written passwords… But as an introvert they were not my preferred avenues of exploit.

        • 

          Quantumcat on 31/08/2021 - 19:47

          +1

          @Switchblade88: Username does not check out!

          • 

            Switchblade88 on 31/08/2021 - 20:00

            +2

            @Quantumcat: I do have a rather soft spot for rubber-hose cryptanalysis

            Relevant XKCD

• 

  AdosHouse on 31/08/2021 - 13:54

  +2

  Just checked St George, 8-12 characters, alpha-numerical only, no symbols.

  My CBA password on the other hand is 16 characters long and includes symbols.

  EDIT: CBA requirements;

  Your new password:

  must be between 8 and 16 characters long
  must contain both letters and numbers
  must be different to your previous 5 passwords
  should not contain a recognisable part of your name or your date of birth
  must not contain your NetBank client number
  can contain most characters except <>^`{}~=
  

  CBA aren't messing around, accoring to the webpage, this generated password ufM!V,6:q%]b#wNk is weak. LOL.

• 

  JimB on 31/08/2021 - 14:56

  Lol… I will kill for a 8 digit

  Westpac:

  6 characters, including at least 1 number and 1 letter
  no more than 2 repeating or consecutive characters
  NO special characters 
  

  At least it's the same as my other banking passwords as they are a minimum of 8.

  • 

    kipps on 31/08/2021 - 18:45

    Westpac is one of the worst offenders. I ditched them for this and issuing me statements with another customer’s transactions. Absolutely incompetent.

• 

  moar bargains on 31/08/2021 - 15:06

  +3

  Relevant article by HIBP authour: https://www.troyhunt.com/banks-arbitrary-password-restrictio…

  As others have said it's because the banks are still running systems from the 80s and it's cheaper for them to compensate (or, the cynic in me says, blame you and not compensate) than upgrade their systems.

  I personally would much prefer that banks (looking at you too Qantas) allow a decent size password (say 64 or 128 characters) and not have these ridiculously short limits or PINs, however the password length is not the only thing standing between you and your accounts. They have loads of other more sophisticated security measures, including lockouts after 3 incorrect attempts, TFA, and more that they are unlikely to disclose. Doesn't matter how quick you can brute force if you only get 3 guesses out of 62^8 before it's game over.

• 

  dirtybigbjelke on 31/08/2021 - 15:40

  Banks hate updating software systems they like to keep them as ancient as possible…

  • 

    moar bargains on 01/09/2021 - 10:17

    More accurately, banks would get slammed by shareholders for upgrading IT systems unless absolutely necessary. And at the end of the day, they are evaluated on their profitability (via the proxy of their share price) than the security and newness of their IT systems.

• 

  Mokr on 31/08/2021 - 15:59

  as long as there is 2FA, and IP tracking i'm good.

  Self wealth sadly don't have that. IP tracking.

• 

  shaybisc on 31/08/2021 - 18:43

  Why do banks do that, short passwords? Is there a lot more work for someone if you make the limit say 20 characters, all special characters ok, rather than 8 characters only alphanumeric?

  • 

    Quantumcat on 31/08/2021 - 19:48

    Old mainframe systems that can't handle longer passwords

• 

  Chandler on 01/09/2021 - 11:54

  Shouldn't contain part of your name, date of birth, drivers licence or anything that would be in your wallet

  Here's part of the problem - they're more concerned that someone with your wallet is going to log into your account, rather than some (insert-country-of-the-month here) hacker. Whilst the wallet → password concern is legitimate, I'd be more concerned about said hacker brute forcing my weak 8-character password.

  • 

    moar bargains on 01/09/2021 - 13:03

    +1

    But they block your account access after usually 3-5 incorrect tries (plus other measures which I won't even pretend I know). Then you have to phone them up or go into a branch to regain access. The probability of a brute forcing a password in 3 guesses from 62^8 possiblities is vanishingly unlikely.

    Phishing and social engineering is a much more legitimate concern.

    • 

      md333 on 01/09/2021 - 15:50

      It concerns me that calling them up on the phone is considered the ultimate level of security that allows you to bypass the password anyway.

      • 

        moar bargains on 01/09/2021 - 17:02

        100%! Absolutely ripe for phishing. Just like the Apple iCloud leaks of a few years ago…

• 

  cpool on 01/09/2021 - 14:23

  ING use an access code, instead of a password - 4 digits, yep just 4 single numbers from 0 to 9.

  • 

    shaybisc on 01/09/2021 - 20:10

    They are pretty hot on irregularities though. They blocked me after I bought 3 Oculus games in separate transactions within 15 minutes.

• 

  abctoz on 04/09/2021 - 15:19

  mostly irrelevant because you're not going to brute force a password through any decently designed website, same reason why your old banking pin codes were only 4 digits, the machine will eat your card after a few incorrect attempts