SitePoint Sponsor

User Tag List

Results 1 to 25 of 25
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Giving Clue of Password?

    What do you think of this...

    A friend of mine told me the other day that his bank gave out a hint of his Account Password.

    Specifically, the customer service rep told him what his Password started with.

    Is it just me, or is that an insanely stupid policy?


    Debbie

  2. #2
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,283
    Mentioned
    121 Post(s)
    Tagged
    1 Thread(s)
    Somehow I doubt that's a corporate policy - probably a rep trying to be "helpful". It's probably even borderline illegal. I would suggest that your friend contact the bank and share his concerns, and remind them how much of a security breach they're opening up if they're giving hints on passwords with out authenticated identification procedures (like face to face communication with photo identification)
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DaveMaxwell View Post
    Somehow I doubt that's a corporate policy - probably a rep trying to be "helpful". It's probably even borderline illegal. I would suggest that your friend contact the bank and share his concerns, and remind them how much of a security breach they're opening up if they're giving hints on passwords with out authenticated identification procedures (like face to face communication with photo identification)
    Here is the funny thing...

    He complained to a manager, and the manager said, "That is the bank's policy to give the first letter out as a hint."

    Crazy, right?

  4. #4
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,283
    Mentioned
    121 Post(s)
    Tagged
    1 Thread(s)
    I'd be looking for a new bank.....
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  5. #5
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DaveMaxwell View Post
    I'd be looking for a new bank.....
    I agree.

    It's sad that companies and Corporate America are so complacent when it comes to security... *sigh*


    Debbie

  6. #6
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,283
    Mentioned
    121 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    It's sad that companies and Corporate America are so complacent when it comes to security... *sigh*
    There's complacent and there's reckless. That's something my 11 year old would know not to do....
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  7. #7
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,615
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    What do you think of this...

    A friend of mine told me the other day that his bank gave out a hint of his Account Password.

    Specifically, the customer service rep told him what his Password started with.

    Is it just me, or is that an insanely stupid policy?
    I'd be concerned that the password was stored in plaintext rather than hashed or encrypted. They should not be able to read off your stored password at all.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  8. #8
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,343
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    My bank has a sophisticated multi-part authentication system for the login online. That is rather common.
    What *really* impresses me though, is that whenever I phone their Support, they transfer me to a Telephone Interface to the same authentication system. I am then transferred back to the representative and they have access to my account but never know my logon credentials!
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  9. #9
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Force Flow View Post
    I'd be concerned that the password was stored in plaintext rather than hashed or encrypted. They should not be able to read off your stored password at all.
    I agree. The bank shouldn't even know what your password is. That they do indicates that they have taken the completely wrong approach to password storage and it is only a matter of time before someone works out how to dump the entire account/password list.

    The way they are storing passwords, a lot of people have access to find out what your password is and so could use it to access your account even if the entire list wasn't broadcast to the world.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  10. #10
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    I agree. The bank shouldn't even know what your password is. That they do indicates that they have taken the completely wrong approach to password storage and it is only a matter of time before someone works out how to dump the entire account/password list.

    The way they are storing passwords, a lot of people have access to find out what your password is and so could use it to access your account even if the entire list wasn't broadcast to the world.
    This was for my friend's credit card.

    I believe when you call in, and the Cust Service Rep asks for your "Account Password"...

    In that case, the Reps obviously have to see it.

    But why would the bank have a policy of giving you a hint like, "It starts with a 'T'..."

    That is insane!!


    Debbie

  11. #11
    Mouse catcher silver trophy Stevie D's Avatar
    Join Date
    Mar 2006
    Location
    Yorkshire, UK
    Posts
    5,892
    Mentioned
    123 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    I believe when you call in, and the Cust Service Rep asks for your "Account Password"...

    In that case, the Reps obviously have to see it.
    Not necessarily – there's no reason why they couldn't use the same kind of password authentication system that you have when entering your password onto a website. They ask you for your password, you give them your password, they type it into their computer, magic happens, and the computer tells them whether the password was right or wrong. They don't need to be able to see what your password is ... while there is ostensibly no harm in them being able to see your password, given that you're going to tell them what it is (hopefully!), the fact that it is stored in a readable plain text format means that it is potentially hackable. If it's encrypted with a one-way hash so that all they can do is check that you've given a right or wrong password, that should be a whole lot safer and less open to naughtiness.

    Quote Originally Posted by DoubleDee View Post
    But why would the bank have a policy of giving you a hint like, "It starts with a 'T'..."
    How about ... because they recognise that most people have hundreds of passwords, and expecting you to remember which one you used on a service where you probably don't have to give the password for years at a time is not necessarily a good strategy. Getting a hint like that could easily be enough to remind you which password you used, without being enough to allow someone else to guess it.

  12. #12
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Stevie D View Post
    Not necessarily – there's no reason why they couldn't use the same kind of password authentication system that you have when entering your password onto a website. They ask you for your password, you give them your password, they type it into their computer, magic happens, and the computer tells them whether the password was right or wrong. They don't need to be able to see what your password is ... while there is ostensibly no harm in them being able to see your password, given that you're going to tell them what it is (hopefully!), the fact that it is stored in a readable plain text format means that it is potentially hackable. If it's encrypted with a one-way hash so that all they can do is check that you've given a right or wrong password, that should be a whole lot safer and less open to naughtiness.
    That idea has its merits.


    Quote Originally Posted by Stevie D View Post
    How about ... because they recognise that most people have hundreds of passwords, and expecting you to remember which one you used on a service where you probably don't have to give the password for years at a time is not necessarily a good strategy. Getting a hint like that could easily be enough to remind you which password you used, without being enough to allow someone else to guess it.
    I totally disagree on this one.

    How would you like it if Amazon.com or Gmail displayed a message saying, "You account password begins with 'T'..." ??

    No way!


    Why not do what you have online and have "Challenge Questions"?

    Or why not make it so people can key in their responses without the Rep seeing anything? (Not sure if you would have collisions if you used your phone keypad to type in things like 'Grand Canyon"...)

    Sincerely,


    Debbie

  13. #13
    SitePoint Mentor silver trophy
    Rubble's Avatar
    Join Date
    Dec 2005
    Location
    Cambridge, England
    Posts
    2,435
    Mentioned
    82 Post(s)
    Tagged
    3 Thread(s)
    I totally agree with Steve; there needs to be some way to interact with the staff to prove who you are on the phone. My bank asks me things like what is the second letter of your password etc. but it was only a couple of years ago that they wanted mothers maiden name etc.

    I had a problem once and the guy on the other end of the phone gave me a hint and I remembered the password straight away.

    I wonder how many words and names there are in the English language alone that start with for instance T? I think the member of staff you are talking to might suspect you do not know the pass word after a couple of mistakes.

    Perhaps you could give the bank your telephone number to keep on file and they could phone you and give you a new password if you forget it

  14. #14
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,615
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by Stevie D View Post
    Not necessarily – there's no reason why they couldn't use the same kind of password authentication system that you have when entering your password onto a website. They ask you for your password, you give them your password, they type it into their computer, magic happens, and the computer tells them whether the password was right or wrong. They don't need to be able to see what your password is ... while there is ostensibly no harm in them being able to see your password, given that you're going to tell them what it is (hopefully!), the fact that it is stored in a readable plain text format means that it is potentially hackable. If it's encrypted with a one-way hash so that all they can do is check that you've given a right or wrong password, that should be a whole lot safer and less open to naughtiness.
    I *never* give my passwords out. If I have to verify an account by giving a password over the phone I would certainly not do that. What's stopping the person from recording or remembering my password and getting into my account later?

    Or, what about those kinds of people who use the same password for everything? It's easy enough to find out if a person has accounts anywhere else, and use the recorded/remembered password somewhere else.

    Giving out a password over the phone is not a secure method. The password is therefore no longer secure.

    A better method is being able to choose some sort of pin number (of an appropriate length) that is only accessible by logging into your account. Then you can give that number to the phone rep to verify. No need to give up your password.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  15. #15
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    I *never* give my passwords out. If I have to verify an account by giving a password over the phone I would certainly not do that. What's stopping the person from recording or remembering my password and getting into my account later?
    Agreed.


    Quote Originally Posted by Force Flow View Post
    Or, what about those kinds of people who use the same password for everything? It's easy enough to find out if a person has accounts anywhere else, and use the recorded/remembered password somewhere else.
    Yep!


    Quote Originally Posted by Force Flow View Post
    Giving out a password over the phone is not a secure method. The password is therefore no longer secure.
    Yep.


    Quote Originally Posted by Force Flow View Post
    A better method is being able to choose some sort of pin number (of an appropriate length) that is only accessible by logging into your account. Then you can give that number to the phone rep to verify. No need to give up your password.
    You lost me on this one...


    Debbie

  16. #16
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,615
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    You lost me on this one...
    Namecheap, godaddy, surpasshosting, and hostdime all do this (if you are familiar with any of them).

    It's like I explained--there is a pin number stored in your account settings. Then, while on a phone call, you give your name, account number, and this custom pin to the support rep, which verifies you as the owner of the account.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  17. #17
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,343
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by Force Flow View Post
    I *never* give my passwords out. If I have to verify an account by giving a password over the phone I would certainly not do that. What's stopping the person from recording or remembering my password and getting into my account later?
    Let's not forget that the person to whom you are speaking already has complete access to your account anyway. They really don't need your password to mess with your affairs. Hopefully, there is a solid logging process to audit who did what when.
    Quote Originally Posted by Force Flow View Post
    Or, what about those kinds of people who use the same password for everything? It's easy enough to find out if a person has accounts anywhere else, and use the recorded/remembered password somewhere else.
    Now THAT is a real problem. Of course, I could argue that it is a people problem and not a "technical" one.

    I actually wrote a blog post on this subject almost a year ago (my VPS was hacked and I recently reinstated my personal blog using Ghost).
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  18. #18
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Namecheap, godaddy, surpasshosting, and hostdime all do this (if you are familiar with any of them).

    It's like I explained--there is a pin number stored in your account settings. Then, while on a phone call, you give your name, account number, and this custom pin to the support rep, which verifies you as the owner of the account.
    Sorry, but I'm still not sure I follow you...

    Are you saying that if a person is able to successfully log in to their online account and get the PIN, that have been sufficiently authenticated so that when they give the PIN to the phone rep, it proves they are the rightful account holder, but that the phone rep knowing the PIN is okay?

    But what is the difference between the Rep seeing your password and seeing your PIN in plain-text?

    There is no difference!


    -------
    BTW, to rewind for a second...

    At the beginning of this thread, I stated that my friend *called* his bank about his credit card, and the phone rep gave out the first letter of his password.

    I think that is a bad idea, and several people here agree with that.

    But as far as it being a bad idea that the phone rep can see your password in plain-text, I have to ask this...

    Most banking phone reps can see:
    1.) Full Name
    2.) Billing Address
    3.) Last 4 of your SSN
    4.) DOB
    5.) Mother's Maiden Name (maybe)
    6.) Other sensitive info


    All of that is displayed in plain-text on their screens as well.


    If you, or whoever brought it up, thinks that letting a phone rep see your "password" in plain-text is a bad idea, then by that logic, a phone rep shouldn't be able to see things like #3 - #6, right?

    And to your point above, they should not be able to see your PIN.

    See the contradiction?

    All of this security stuff is a trade-off, I suppose. But what caught my attention, what the fact that a phone rep would help you figure out what your "secret code" is?!

    I trust that a banking phone rep has been properly vetted, and so they have to be able to see some of your private info. But to give out that info to someone who has not been authenticated - or who even has been authenticated - is a horrible idea.

    It's one thing to say, "You secret code is your pet's name" and quite another to say, "Your password begins with a 'T'..."

    Anyways, this is an interesting discussion!

    Sincerely,


    Debbie

  19. #19
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,649
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    One big thing to remember is banks have been using account passwords since they were counting with abacuses and recording the books on clay tablets. The security there isn't so much provided by strong locks but rather by policies and procedures precluding the possibility of ongoing fraud. Everything is recorded multiple times in multiple ways by multiple people and reconciled.

    Now, years ago you only needed a password to deal with your bank or your broker so the whole "oh that CSR now has my password to my facebook" angle wasn't prevalent in years past. But your money is much safer with the bank than with most other institutions as they have strong rules and traditions making it so.

  20. #20
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,862
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Every situation where passwords have been stolen - either from a bank or some other company - it has only been possible because they store the password in plain text.

    Hashing passwords provides two benefits - first there is no plain text copy to be stolen and second there is no limit on how long someone's password can be as all hash to the same length.

    Anywhere that can either provide hints as to your password or which limits password length is storing them as plain text and so the passwords can and eventually will be stolen.

    Even having other sites that store passwords as plain text lessens the security of banks when people are silly enough to use the same password for both sites.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  21. #21
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,615
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Sorry, but I'm still not sure I follow you...

    Are you saying that if a person is able to successfully log in to their online account and get the PIN, that have been sufficiently authenticated so that when they give the PIN to the phone rep, it proves they are the rightful account holder, but that the phone rep knowing the PIN is okay?

    But what is the difference between the Rep seeing your password and seeing your PIN in plain-text?

    There is no difference!
    A pin is not a password, so technically, the support rep can't do a whole lot with it outside of organization's walls.

    They might not actually see it, and instead just type it and see a yay or nay response.

    Granted, the rep could call in from the outside and authenticate using the information and pin you gave over the phone, but it's more traceable and the call is recorded, so there's a higher probability of actually being caught than from using a random computer on an open WiFi connection to access the account using the account's password.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  22. #22
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,923
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by felgall View Post
    Every situation where passwords have been stolen - either from a bank or some other company - it has only been possible because they store the password in plain text.

    Hashing passwords provides two benefits - first there is no plain text copy to be stolen and second there is no limit on how long someone's password can be as all hash to the same length.

    Anywhere that can either provide hints as to your password or which limits password length is storing them as plain text and so the passwords can and eventually will be stolen.

    Even having other sites that store passwords as plain text lessens the security of banks when people are silly enough to use the same password for both sites.
    I agree with everything you are saying.


    Debbie

  23. #23
    SitePoint Zealot coloradojaguar's Avatar
    Join Date
    Sep 2011
    Location
    Southwestern Mountains
    Posts
    151
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It is very interesting to see the varied methods of password storing and retrieval. There doesn't seem to be an industry standard even when it comes to banking. I'm really surprised that so many have indicated that it is considered OK for a first letter to be passed. Isn't that what the secret question is for? The giant password and user info. hacks that popped up these past few months should have everyone on heightened alert when it comes to protecting your sensitive information. Unless some standard of security is implemented across retail and banking systems then more thefts of sensitive information will only continue.
    Hosted solutions provider since 1998 - UK, Atlanta, L.A.,
    JaguarPC.com - Managed Hybrid Servers |
    Managed VPS Hosting | Dedicated Servers

  24. #24
    Avid Logophile silver trophy
    ParkinT's Avatar
    Join Date
    May 2006
    Location
    Central Florida
    Posts
    2,343
    Mentioned
    192 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by coloradojaguar View Post
    The giant password and user info. hacks that popped up these past few months should have everyone on heightened alert when it comes to protecting your sensitive information. Unless some standard of security is implemented across retail and banking systems then more thefts of sensitive information will only continue.
    That is an excellent point and, perhaps, an opportunity for someone [here?] to introduce a "Technology Solution" to this problem. We know that as time goes on the problem will only grow larger and more unruly.
    Don't be yourself. Be someone a little nicer. -Mignon McLaughlin, journalist and author (1913-1983)


    Git is for EVERYONE
    Literally, the best app for readers.
    Make Your P@ssw0rd Secure
    Leveraging SubDomains

  25. #25
    Life is not a malfunction gold trophysilver trophybronze trophy
    TechnoBear's Avatar
    Join Date
    Jun 2011
    Location
    Argyll, Scotland
    Posts
    6,370
    Mentioned
    268 Post(s)
    Tagged
    5 Thread(s)
    My online banking requires you to register five pieces of information (such as first school, memorable name, etc.), and logging in requires sort code, account number and one of these items, picked at random. (That's for my personal account. My business account requires a one-time passcode generated with an electronic gizmo.) For telephone banking, none of the five items is used; instead, a four-digit PIN is required. For the automated system, you enter sort code, account number and PIN; if you then want to speak to an actual person, they will again ask for sort code and account number, then two random digits from your PIN - meaning they don't have access to the entire PIN and can't use it later.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •