1

I have just discovered that I can login to my bank with passwords that is not mine.

Example:

My password is "1234" but I am authorized with all possible post characters. For example "12345" or "12341234" will authorize me.

Also note that my password was assigned to me by the bank (four digits) and the login is a normal html form (username input type text/password input type password)

Why would any bank design such a auth protocol and is this something I should worry about?

AviD
  • 72,138
  • 22
  • 136
  • 218
user35356
  • 19
  • 1
  • 3
    Can you clarify what function you are logging into with this 4 digit passcode? Getting money from an ATM using a 4 digit PIN is generally accepted, but logging into online banking with a 4 digit passcode seems a lot riskier. – Rory Alsop Dec 09 '13 at 12:57
  • `if (input.substring(0,5).equals(password)) return true; else return false;` Sounds like a misunderstanding of the term "sanitize inputs". – oldmud0 Nov 13 '16 at 02:43

3 Answers3

3

The meta question on whether you trust your bank is not answerable here :-)

However the core question is answerable:

Is accepting further characters after my password is matched good practice?

If they have a fixed 4 digit passcode, then they will just be truncating at 4 and dropping the rest - which means it won't affect your security at all.

To actually find out whether they are truncating, you'd need to ask the bank.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
3

My bank is doing the same, except it's with with 6 numbers rather than 4. They only allow 6 numbers as the online banking password.

Should you trust my bank after knowing that they truncate the inputted password? Well, I'd think that the bigger issue here is limiting the password to 4 characters.

The issue with trust is that it's something you have to judge. Do you think a 4 character password is enough to protect your financial information and/or the actions that can be performed through the online interface? (I don't). On the other hand, my bank implements a two-factor authentication login and an aggressive login-throttling mechanism which, in my opinion, slightly compensates for the weakness of the password.

Since your question is opinion-based, but with good merit, I'll summarize my answer by stating my opinion: I wouldn't trust a bank with such authentication system as your bank's.

Adi
  • 43,808
  • 16
  • 135
  • 167
1

Fixed length, non-changeable passwords are very weak, and therefore a bad idea for a banking site. This is why banking regulators across the globe are mandating the use of strong passwords for online banking, strong generally meaning 8 characters minimum with at least one upper case and one numeric character (this is what the auditors seem to be looking for, the regulators don't typically specify what "strong" means). In fact, most regulators are pushing for some sort of 2 factor authentication, either using a token or some sort of "remembered information".

In areas where banking regulation is not strong many banks still have poor password security, and your bank sounds to be one of those. To answer your specific questions:

  • Why would a bank design such an auth protocol: because is it very easy to set up, and they are not required to do any better. Implementing a better system will cost them money which they are loath to spend
  • Is this something I should worry about: Yes, it shows that your bank either doesn't have the skill, or they don't have the motivation to do better. Neither would inspire me with confidence, and I would be looking for a better place to put my money if it was me
GdD
  • 17,291
  • 2
  • 41
  • 63
  • Perhaps you can shed some light on [my question then](http://security.stackexchange.com/questions/86249/why-do-some-bank-websites-use-passwords-that-are-not-case-sensitive). – MDMoore313 Apr 17 '15 at 13:18