sunnuntai 21. elokuuta 2016

Banks and passwords


The situation with banks and their outright horrible password policies never ceases to amaze me, especially when those policies control such a huge amount of money or even worse - peoples' identities. Granted, the situation here isn't as bad as some horror stories I have heard from the other side of the pond (read: mainly from US, where username-and-bad-password without any second factor of authentication seems to be way too common), but it's still annoying here too.

Take my bank, for example (no, I won't name it). They have user name (random string of letters and numbers they assign for you) and password you can choose yourself. And on top of that, there is one-time password from printed list that they send to me. In general, pretty safe system, as that one-time password prevents you from doing anything with just user/pass combination (including, somewhat unfortunately, many credit card purchases from local web shops - I don't carry that list with me so that's a bit of an annoyance, especially when making travel arrangements for work)

But back to passwords. My chosen password originally had 9 characters. The password page says that maximum length is 8 characters but either that isn't enforced or the policy changed since I picked it. Change might've been when they did major system overhaul at one point due to SEPA - which is damn great, I can send money to anyone within SEPA-area with literally zero cost!
 
This same overhaul brought ability to use paytrail for online shopping. It essentially allows you to pay directly from your bank account with direct transfer, which is pretty nice since not all people have credit cards. Here things went wrong however.

To pay with paytrail you have to provide enter your banking credentials along with one-time code during checkout process. And for some f'ed up reason this will fail horribly if your password has more than 8 characters. And not in a good way - my payment ended in some kind of limbo where I couldn't tell what had happened, except that payment failed. At bank's end all was good; on recipient end however I used significant discount code that was used up although payment eventually wasn't successful. It took some time to straighten things out. But I wasn't exactly happy about this, and figuring out why things failed took a while longer as password problem wasn't exactly apparent - payment just failed with no apparent reason. And I could use the same password to log in to bank itself with no problems.

Eventually someone could point out the reason and I changed the password to 8 characters, no problems since, but really now, this is friggin' 2016. 8-character password is nothing to most password cracking tools. I'd expect the banking system to allow longer passwords - even if the account is protected by the one-time code on top of that.

As a tangential side note, banking situation in US is simply astonishing to me. People are still using checks? Oh, I vaguely do remember my parents using those, back in 80s. Damn things have been antiques for some three decades now. For just about anything that doesn't need face-to-face interaction national bank transfers have been so easy and free (yes, completely free) for ages now (and now, with SEPA, that's for most of Europe.)  Absolutely no one expects for example rent to be paid with anything else than bank transfers. Cashier's checks however I have used a few times, for things like buying a house or a  car (carrying massive amount in cash doesn't feel exactly safe, never mind the funny feeling of having suitcase full of cash), but personal checks... Come on now, this is 21st century, not medieval times!



Ei kommentteja:

Lähetä kommentti