More Stupdity From Hungarian Banks

Are you saying that at OTP all you need to log in is username+password, no 2fa, or token device? Wow, that's stone age...

klsallee wrote:

I tried to log into my OTP account today with my browser.

The bank has changed their web site and login.

And now the site limits passwords to a maximum of 8 characters. My password is longer. Could not login.

I have worked in IT for many years. And I know about security. There is no need for such a change. Limiting a password length is beyond stupid. Passwords should be stored hashed to a fixed length depending on the hash, so there is no need to limit the raw password length. .....

That's completely dumb.  2FA is easily the way to go and well developed as a technology. No need for tokens as everyone has a smart phone these days.

But look at that guy Bill Burr who I believe was responsible back in 2003 for promoting using numbers instead of letters - e.g. replacing the E with a 3, A with a 4 etc.   If your password was say, "aardvarkelephantsnake", your password would be 44rdv4rk313ph4ntsn4k3".  That's easily breakable nowadays with brute force.

I was "laughing" at the Iphone X face unlock being broken by twins recently.  I wonder if it works for doppelgangers.

All banks have multiple ways to login.

But I said I was logging in with my browser today on my PC. Which I often prefer to do if I have a lot to do, as I do not personally like banking on a small screen. And that uses a three ID system including password as one method of login.

But that was not really my point. Was it.

The point I was making was that the new default password system is a step backwards in security. Which leans toward me wondering about the security knowledge, or lack there of, of the current bank IT managers and developers in general. That is, if you are going to offer password login, don't make it worse that it was before. And if one does, that, to me, it is a potential insight into a maybe bigger inherent security problem.

fluffy2560 wrote:

[ If your password was say, "aardvarkelephantsnake", your password would be 44rdv4rk313ph4ntsn4k3".  That's easily breakable nowadays with brute force.

Actually, not necessarily.

There are combination methods, brute force, markov chain, rainbow tables, etc that can crack passwords, but brute force alone is not the ideal method to crack such a long password. A password that long almost always will require a combination of methods to crack. Even so, it is still not that easy. Possible, yes. Easy, no.

Also, while a computer can process billions of brute force attempt per second, to crack a password, most web sites by design slow down the password check process so that it is not practical to crack a password through a web site via brute force. One must have the hashed password on the same computer doing the cracking. Which is why hackers spend time not trying to crack into systems by brute force so much as using back doors, security holes, social conditioning, and other methods to steal the password hash lists. And it is on the hash lists that the most effective combination cracks can be applied.

Ergo, and if a company's IT personnel do not understand the basics of simple password security, I do not put much faith in the company having an overall secure network.

IMHO.

klsallee wrote:

But that was not really my point. Was it.

Just trying to get you to rethink this big issue of yours. Does the bank's login interface allows brute-forcing? (I.e. they don't lock your account after 3 failed attempts) Don't they require anything else than the password to sign in and initiate transactions? Then your anger is warranted.

If not, you can still go ahead and waste your time closing one bank account and opening another one. 

klsallee wrote:

fluffy2560 wrote:

[ If your password was say, "aardvarkelephantsnake", your password would be 44rdv4rk313ph4ntsn4k3".  That's easily breakable nowadays with brute force.

Actually, not necessarily.

There are combination methods, brute force, markov chain, rainbow tables, etc that can crack passwords, but brute force alone is not the ideal method to crack such a long password. A password that long almost always will require a combination of methods to crack. Even so, it is still not that easy. Possible, yes. Easy, no...

I was trying to keep it to a reasonable example because that's the kind of substitution algorithm that people use because it's easy to remember and apply.   

If was me at the bank, I'd look for solutions based on the concept of the 3As - authorisation, authentication and accounting.   Per transaction would then be 3FA:  something you have (usually a smart phone - unique to  end user), something you know (password or keyword) and something you are (fingerprint for example).   Last bit is a pain but not impossible.

My primary concern these days are types of social engineering attacks that don't even involve machines but manipulating people.  Moreover, I am even  more concerned by systematic internal fraud by colluding workers.  But to state the obvious, human beings have and always will be the weakest point in even the most well engineered systems.   

Incidentally, I was surprised to hear today that Uber's CEO paid off hackers.  Amazing.

fluffy2560 wrote:

My primary concern these days are types of social engineering attacks that don't even involve machines but manipulating people.  Moreover, I am even  more concerned by systematic internal fraud by colluding workers.  But to state the obvious, human beings have and always will be the weakest point in even the most well engineered systems.

Absolutely.

Because once the human element lets a hacker in, they grab the password hash table, if the passwords are so stored. And if those are stored in something like MD5 ( yes, I know some databases that still use that and they need to be updated) then most 6 to 8 character passwords can be cracked in milliseconds. Even worse, if you remember the Linkedin hack. Turned out their database did not even bother to hash the passwords, but kept them in plain text (an unheard of security lapse).

And the other human element : A lot of people still use passwords, and they use the same passwords across multiple sites. No, not smart, but again, human nature. So businesses normally have to consider this. And a proper business is aware if they are a weak link, they can affect other businesses, or vice-versa, so usually try to not be the weak link.

Which is my thesis. And why one should not limit password length to 8 characters if they use passwords at all (and yes there are much, much better methods of security than passwords). Best practices should be upheld, especially for older technology. Not doing so is potentially problematic and may give a view into other potential problems with security protocols (i.e. see Linkedin reference above). In other words, *if* one is going to put a steam train on the main line, one needs to pressure check the boiler and keep everything oiled properly, and not treat is like a more maintenance free modern electric engine. Because old technology can work fine in those places where it is appropriate, but if it fails, it really blows up big time and can cause a lot collateral damage.

klsallee wrote:

.....
Because once the human element lets a hacker in, they grab the password hash table, if the passwords are so stored. And if those are stored in something like MD5 ( yes, I know some databases that still use that and they need to be updated) then most 6 to 8 character passwords can be cracked in milliseconds. And the other human element : A lot of people still use passwords, and they use the same passwords across multiple sites. No, not smart, but again, human nature. So businesses normally have to consider this. And a proper business is aware if they are weak link, they can affect other businesses, or vice-versa, so usually try to not be the weak link.

Which is my thesis. And why one should not limit password length to 8 characters if they use passwords at all (and yes there are much, much better methods of security than passwords). Best practices should be upheld, especially for older technology. Not doing so is potentially problematic and may give a view into other potential problems with security protocols. In other words, *if* one is going to put a steam train on the main line, one needs to pressure check the boiler and keep everything oiled properly, and not treat is like a more maintenance free modern electric engine. Because old technology can work fine in those places where it is appropriate, but if it fails, it really blows up big time and can cause a lot collateral damage.

I'm also still seeing MD5 being utilised even though it was broken years ago.   The issue really is that people are still using legacy systems based upon ancient technology and no-one has the knowledge (or guts) to redo these applications.  There are sites where no-one knows how the machines work, never mind the software.  It also happens a lot that the original programmer has died and left no notes or instructions.    No discipline or governance.

Anyway, if I remember correctly even the DES standard used in ATMs has now been broken.  DES itself might be broken but in ATMs, they apply it 3 times (3DES) in hardware.  The latest standard guidelines is PCC DSS.  The bank should know all this anyway. 

8 characters is just rubbish.  Windows allows passwords up to 127 characters I believe.  It could be you can have a longer password at the bank, but they'll only use the first 8.   I reckon the best length is about 10 (since most us non-mutants have ten fingers) so it's easier to quickly do challenge-response system using your fingers (i.e. enter the 4th and 8th characters of your password).

oh, btw, when I started out using UNIX a zillion years ago, I worked on a few variants where the passwords were in plain text in /etc/password.   The only way to stop people reading them was to use permissions.

atomheart wrote:

If not, you can still go ahead and waste your time closing one bank account and opening another one.

It took 45 minutes to close the account at OTP, with the lethargic teller chit-chating with her co-workers the entire time. I honestly thought I was caught in Zootopia.

Then it took less than 10 minutes to open a new account at Raiffeisen. Where the bank assistant was very professional.

For that reason alone, I am glad I switched. OTP has always been a drain on my time.

Sounds like the same reasons we quit OTP and went with Raiffesien.
So far, so good. We have a forint and dollar count with them.
However, we keep our bank balances very low here, just enough to get by. For some reason we still trust our US bank more even if it is only being able to access them on line or by phone.