I opened a kids account with Westpac. The system only allows 6 character passwords, no less, no more, and no where does it suggest MFA. Is this just for kids accounts? Surely adult accounts they would allow very strong passwords?? 6 char limit is terrible unsecure and could be compromised in minutes. I rang the bank and they just said it is what it is. Not really comfortable putting savings into an account with a 6 char password.
I just use 'passwo' to save me time
'asswor'
It’s the same for adult’s accounts too.
Westpac is a crap bank. Ditch them and move on.
Can confirm. Been with them since 2008 and it was like that when I joined.
ING is good bank, but same story, 4-digit pin for logging in, even worse.
I only kept Westpac for its rewards - discounted movie tickets and JB Hifi corporate discount.
OzB4Me
123456
PSSWRD
none of these are holdenmgs ozbargain log in password
Please learn what a Karen actually is before misusing the term again in the future.
I use ING Direct which has an even simpler password system but I havent heard of any issues (excluding phishing, etc)
LOL this comes up so often and people screech about it being brute forced.
Now look at it from the bank's perspective, how often do people forget passwords, PINs etc and have to call up or reset the password? Way too often already and if it's more complex it's more likely and therefore costs the banks more to run customer service etc.
how often do people forget passwords, PINs etc and have to call up or reset the password?
Obviously you’ve never been a Westpac customer. Their requirements are so ridiculous it’s very unlikely that any password other than a custom Westpac one will be okay; hence it’s actually more likely to be unique & require password reset.
This still does not justify the ridiculous limitations on a password which should be stored as a hash. Yet it isn’t. Let me hear you justify that one.
Insurance isn’t a good reason to neglect information security either. How many of us are invested in this (shit) company through superannuation indirectly?
"… should be stored as a hash. Yet it isn’t."
What are you basing this on?
Is it salted too?
Same…how are you telling their back end password management doesnt use hashes, from your interaction with their front end web interface?
Too many IT experts here. Six characters passwords are fine.
Also I guess you do need 2FA to pay new payees or change contact details and pins passwords etc. Do agree it's a stupid arbitrary password limit anyway.
Password should be allowed to be longer and complex as a user wants yes they may have to ring up and reset but a customer will understand if they forget, they will not understand if their bank account is drained.
While they may be insured, if your bank account is cleaned out and you need funds its not like you get you money back straight away; there will be an investigation, then a claim and THEN you will get you money back. and lets be honest banks and insurance do not work fast to give you money so this could be months.
How many instances where an Australian bank has been hacked (bank fault) and the customer was left screwed over?
I actually just watched one where 1 couple lost 100k in a scam with Mac bank and they not getting refunded. The hacker transferred money to their offset account then rang them and got them to give out codes so it was a double hack one on bank and one in social engineering.
They were told they would not be getting a refund
@Unorthodox: Not Sure it was not disclosed, but you said "How many instances where an Australian bank has been hacked (bank fault) and the customer was left screwed over?" so i just gave a recent example.
it should not matter if it reimbursed it the inconvenience and risk involved anyhow security should not be overlooked.
@Unorthodox: Not for 1st part where they transferred money from one of their accounts into the offset allowing so much to be taken.
@Not SkyNet: I did a quick Google search
https://www.9news.com.au/national/bank-scams-australia-sydne…
Was this it? If so, it's very different to what you've said and very clearly a mistake by the customers.
@Unorthodox: No that not but let's stop mudding the water with these and stick to facts.
1. A password Policy of maximum 6 characters with no 2 factor is not acceptable. any rep who thinks it is ok or makes excuses for it has no idea about security.
2. If you do get scammed and you will possibly get refunded it will not be immediate meaning you could be without funds when you need them
3. Not All Scams will get you refunded.
4. Westpac Customer Server is terrible.
6 char limit is terrible unsecure and could be compromised in minutes.
And how many times are you allowed to try before it locks?
Exactly.
So it’s okay to have shit password requirements provided there’s account attempt lockout?
What about Westpac obviously storing passwords in clear text rather than hashes? Going to excuse that too?
So it’s okay to have shit password requirements provided there’s account attempt lockout?
What is the probability of getting a six digit/number password right within 3, 4 or 5 tries?
There has to be a balance between 'ease of use' and 'security'. If they make it too difficult, you'll have stacks of people on hold or in the branch trying to reset their password. It's not someone sitting in the backyard coming up with the way these passwords should work. The bank has teams of specialists on this and dedicate stacks of resources developing this kind of thing. I'm not saying that they always get it right, but I'd say that they'd be pretty close.
Again, they’re obviously not hashing passwords. How is that okay for a bank in 2023?
The probability of a correct guess in 3-5 attempts isn’t the only way an account can be compromised. As has been demonstrated time and time again.
As said above , you aren't brute forcing a banking password which has limited retries before account lockout
Even without complexity of special characters or mixed case, it's still over 2 billion combinations with just 6 character password length.
(But yes, it's poor form to have a hard coded limit like that and doesnt encourage the kind of password uniqueness and complexity that online accounts should strive for)
Don’t excuse a financial institution not using hashed passwords in 2023. Much less one that contributed to sex crimes against minors. This bank is broken. Make them change.
Much less one that contributed to sex crimes against minors
Insert Anchorman "well that escalated quickly" meme
Still not as bad as a Qantas account which is limited to a 4 digit pin!
Qantas has required SMS auth in addition to that 4 digit PIN every time I’ve tried to login with no saved cookies.
Mickey
Minnie
Donald
Daffy
Pluto
Goofy
So, from your 6 character password, there are at a minimum 2,176,782,336 different combinations if you're just using letters and numbers (excluding upper/lower case variants). Dont use dictionary words or anything tied to account details (ie: birth date or year) if you want to make it hard for them to "guess" it.
So about three seconds of processing power to match on a rainbow table.
If the passwords are this insecure then there's no way the database is salted and if that ever leaks your accounts could be emptied in seconds. Setup an AutoHotKey script or similar and dump each account in a matter of minutes.
the password must contain at least one of each of the following-
1) one uppercase letter
2) one lower case letter
3) one numeral
4) one symbol
5) one zodiac sign
6) one emoji
7) one earth element
400 years to brute force hack an 11 character pw with upper and lower case with symbols. That should be sufficient until hackers get quantum computers. I've been using 16 characters for many years, which is a bit of a pain if you can't autofill or copy and paste in some situations.
If you hack my Westpac account, you have to pay my Mastercard on time.
(them's the rules). lol
Not surprised.
ING Bank: Hold my drink.
(ING bank only accept 4 digits password with no MFA available.)
I think it’s ok as long as you protect your user ID? Agreed still unsafe.
I would like to think so, but the user ID is also a string of digits. Sadly I'm still sticking with them for their interest rate.
Same 🥹🥹🥹
Recently, I went through the exact same panicky moment when trying to setup online banking for my new Westpac account.
Troy Hunt explains that it's not THAT bad as we would imagine. (Some of the earlier comments in this post reflect similar arguments.) https://www.troyhunt.com/banks-arbitrary-password-restrictio…
Westpac only allows 6 characters, a mix of letters and numbers and no special characters allowed. Surely this is inadequate for a password in this day and age of cyber security.
Yeah, the average bank/financial institution has worse security than the average internet forum.
Does password complexity matter when hackers can just download the excel file containing everyone's logins?
So wot.
I recently went and updated the passwords on all my accounts (like all my online accounts). It is annoying how varied the policies are.
Some don't allow spaces, some have restrictions on repeated characters, some have policies on the words themselves. It's very frustrating.
Some allow 2FA, others don't.
There should be a published standard for passwords and all companies must abide by it. Like PCI for passwords.
? Your not going to get hacked based on 6 as apposed to 11 characters its other methods they will use.
Come on, Karen, 6 is plenty! Use a combo of letters, numbers, and special characters.
No special characters allowed unfortunately, just numbers and letters.
Bringing up an old thread, but Westpac are finally bringing more than six-character passwords:
Some of our customers have shared they want to set longer and more complex passwords. In the coming months, you'll be able to set a new password that can be up to 30 characters and include numbers, letters, upper and lowercase and special characters
Is the update from an email or website?
But 'password' is 8 characters long. Dang!