The Poor State of Online Banking Passwords

It's been time for me to change my passwords for a while. I believe in good password security, but I also know that I need to have a sane number of passwords if I will have any hope of remembering them. To that end, I have a couple of different 'category' passwords. I have:

  • secure financial password - used for banking sites and the like
  • secure non-financial password - used for sites with secure login that are important, but not financial. flickr, for example.
  • insecure password - used for mailing lists, http-only logins, throw-away sites
  • personal password - laptop unlock
  • work password - all things employer-related
  • PGP key passphrase
  • ssh key passphrase

That list is already longer than a coherent memory can handle, especially since all my passwords are more random than not (such as Hm.t8U%$[1]). So I keep them in a PGP-encrypted file just in case.

Anyway, the time came to change them, and I started with the laptop, work, then secure financial password. pwgen is a godsend, btw. The laptop and work email changes went fine, and I started in on the financial passwords. I was using pwgen -y 9 to create candidates (mixed case, numbers, and symbols, 9 characters long) and then fiddling with them a bit, adding or removing characters, changing one here or there. I came up with a good candidate and started changing passwords.

Then I came to Discover's website. "Sorry, that password is invalid." it says. What company in their right mind uses some password hash so broken that it can't handle punctuation in the password?! I mean, seriously! Are you having people hand-transcribe them or something? Maybe I shouldn't use confusing characters like 1 vs. l either, huh? Idiots. Anyway, I change it around, strip out the punctuation, and add a character to make up for it. Alright, carry on.

A few more go by and then comes American Express. Here are their requirements (straight from their website):

  • Contain 6 to 8 characters - at least one letter and one number (not case sensitive)
  • Contain no spaces or special characters (e.g., &, >, *, $, @)
  • Be different from your User ID and your last Password

WTF is up with 6-8 characters?! Really? What, are you using some archaic version of crypt that still only supports passwords of 8 characters? ... wait a minute. IT'S NOT FUCKING CASE SENSITIVE?!?! Amex, I know you're all old-school with your 'only rich people use amex' and the whole no-limit amex black cards thing but it's not cool to be old-school with website security.

Last in the set of FAILed banking sites comes Smith Barney. They also prohibit symbols, and add one more requirement. Your password must start with a letter. Why, oh God of Security, Why?!?!

Ok, fine. Now my list of passwords has increased yet again

  • standard financial password
  • financial password with no special characters that starts with a letter
  • short alphanumeric password for broken sites from the last century


Why is it that the web sites for which security should be the highest priority are the slowest to adopt (what seem to me to be) standard password / passphrase heuristics? A good password should be at least 6 characters long (recommend at least 8 and preferably 10+) and choose 3 of the following:

  • have lower case letters
  • have upper case letters
  • have numbers
  • have symbols / punctuation

Note - I said 'choose 3 of the following'. If you always require all of them, that *also* reduces the space of the password set! (of course, any restrictions reduce the password set, but choosing three at least encourages good password choice.)

p.s. Can I tell you how hard it is to find the 'change password' link on some of these websites?! OMGWTFBBQ! I should just give up. But I won't. I'm kinda stupid like that sometimes.

[1] Note - not an actual password of mine. pwgen ftw.


Jeska said...

That is terrifying about AmEx.

PacketU said...

The state of internet banking passwords is appalling. I stumbled across this article after finding that many of my passwords are not case sensitive. I posted my conversations with five banks over at PacketU.