3

My bank's internet banking site enforces a pretty weird policy: it does not allow you to set a password that has anything but digits in it. The only reason I can imagine is that they are using not an industry-standard password hash function like say SHA-256 but some silly homebrew replacement that works only on digits. Does anyone have a better explanation? Mine is somewhat frightening, security-wise.

sigil
  • 139
  • 5
  • 8
    Possibly because the same password has to be entered from some devices that only have a keypad, not a full keyboard? (phone? ATM?) (Not justifying their policy, just hypothesizing a reason.) – user4556274 Jul 28 '16 at 14:11
  • Maybe because the system that manages this is an old mainframe designed back when the internet didn't even exist? – André Borie Jul 28 '16 at 14:30

2 Answers2

8

They are most likely considering all forms of user input (and need the password to work via other modes such as at an ATM or via phone touch-tone) and therefore limit it to just numbers. Of course the only way to be sure is to have them answer this question, but the scenario is not uncommon with banks that have consolidated remote banking functions onto one platform.

Edit: I remember a question very similar to this on SE (I think it was here in security) but searching isn't finding what I am looking for... Anyone else recall?

Jeff Meden
  • 3,966
  • 13
  • 16
  • 1
    This one: http://security.stackexchange.com/questions/124682/is-a-6-digit-numerical-password-secure-enough-for-online-banking ? I've found several that have a similar topic. – hamena314 Jul 28 '16 at 14:33
  • @Jeff Meden Your answer implies that my bank is doing a thing even worse than using a silly password hash function: they have my password stored server-side in plaintext. As the comments to the other question you mentioned say, it's plain funny that the companies supposed to have the best IT security in the world in reality have the worst. – sigil Jul 28 '16 at 18:16
  • 2
    @sigil why would my answer imply that? Their choice to limit character set because of input method compatibility has no bearing on their storage choice (although to be honest most banks use two way encryption for everything, a secure if not as ideal method to hashing) – Jeff Meden Jul 29 '16 at 12:51
1

I can imagine is that they are using not an industry-standard password hash function like say SHA-256

On a side note, be aware that general purpose cryptographic hash functions like SHA or MD5 are not designed for password hashing. They are actually pretty bad at it, no matter how many output bit it produces.

Further reading: How to securely hash passwords?

Up to date summary (+ code implementation): How to safely store password in 2016

Note: I should have posted that in the comments section but I can't since I'm not 50 reputation yet.

ATo
  • 316
  • 1
  • 5