2

My question is already partially answered here. However I would like to know if the answer would be any different considering the following circumstances:

When logging into a banking website the username box is accidentally clicked when typing the password so the latter half of the password is appended to the username before being submitted.

Considering the website is a banking website, and not the whole password is revealed, if something like the above scenario happened, although it would probably be advisable to change the password, would I get away with not doing so?

Question
  • 21
  • 2
  • Did you actually hit login after this, or did you discover your error before that and corrected it? – Anders Sep 17 '16 at 16:03

2 Answers2

2

If you submitted the login form (i.e., clicked "Login" button) then you should probably change the password as it could potentially show up in their webserver logs.

If you did not submit the form and simply typed it into the text box on the page, then deleted it (assuming no one was looking over your shoulder), you should be ok regarding the action as a whoops and move on.

HashHazard
  • 5,105
  • 1
  • 17
  • 29
  • 1
    This assumes the site doesn't use JavaScript to carry the value back to the server despite not having submitted the form. Lots of sites do that now. – Eric Sep 18 '16 at 06:15
  • @Eric JS on a login page is probably fine (for making sure the pw field isn't blank, etc.). I think your referring to AJAX calls, which if found on login screens -to carry partially completed username/pass fields *back to the server*- would be suspicious. Easy to verify using a proxy though. – HashHazard Sep 18 '16 at 15:09
0

The important thing to remember about online banking fraud is that you are not liable. Even if you get phished and accidentally give away your PIN or other information, your liability is still capped at $50, by law (assuming you report the fraud in a timely fashion).

The reason banks go to such great lengths to protect your account is not to protect you from loss; it is to protect the bank from loss. Most financial institutions have what is called a "risk department" that examines their online offerings and ensures that their products do not expose them to inordinate risk. They are also required to conform to a ton of regulations such as PCI-DSS and FDIC.

Now, whether your user name information (which in your case contains part of your password) is logged depends on how they have programmed their web site. In the vast majority of cases, logging and auditing records are carefully redacted and secured, so that only limit personnel will ever be able to see whatever it is you have typed in. Things like PINs and credit card numbers are almost certainly redacted before they are logged. And most (but not all) banks treat the user name as private information, meaning that it will get redacted too.

Even if someone gets ahold of your password, your account is probably protected by a second factor of authentication including out of band. And even if someone gets past all of that, high risk transactions, such as external transfers (which is how someone could steal money) are often protected by complex risk analysis and "step up" authentication. Even if a hacker used the right user name, password, secret answer, and somehow spoofed your out of band authentication, the transaction will still be refused or held over in an audit queue if, for example, it has a suspicious IP address, or comes from a browser with an unfamiliar fingerprint, or if the transaction processor detects a lot of transactions all going to one place.

Now... back to your question... should you change your password? Well, it certainly couldn't hurt. However, if I accidentally leaked part of my password into my user name field, I wouldn't think twice about it honestly.

John Wu
  • 9,101
  • 1
  • 28
  • 39