We'd lose our security certificate if we allowed pasting

Same goes for Virgin Mobile (at least here in Australia), which ALSO requires you to only use numbers. Last week they forced me to change my password due to an "important change" - ascending or descending numbers were not allowed anymore. I guess they had a look at their plain text password database and realized that 99% of their users used 123456.

Edit: Australia seems to be using the US system: http://www.bitdefender.com/security/hacking-virgin-mobile-us...

6 characters for a bank password?! Get a better bank!

It's unbelievable how bad the password policies of some banks are. Mine doesn't allow special characters, for example. Fortunately it does allow longer passwords at least.

Financial company I use apparently shares the same password between their web site and their automated phone system. So in addition to a max length of 10 or 12, you can't use anything non-alphanumeric since you wouldn't be able to enter it with a phone keypad.

Also rules out stored a hashed password, too. Terrible idea all around. (Edit: ok, I guess they could convert the PW to the phone key version when initially setting the PW, and then store both the hashed text PW and hashed phone key PW. So not "rules out". I just doubt they do it.)

> My hypothesis is that this is a technical limitation due to the password being stored as a char(6) in their database.

and legacy security policies/requirements that have not undergone any update.

I've worked on a project that touched banking passwords in the past and in a push for modern password requirements (which was met....somewhere in the middle), the response was that since the number of attempts was so restricted (and claims about whatever security/fraud engine they were using), the risk caused by the restrictive passwords were essentially negated.

From a security perspective, how true is this? I'm genuinely looking to be educated. It did seem like a reasonable measure to prevent a bruteforce attack, but I'm not sure if I'm missing anything

I would be very interested to hear a first-hand account from the developer who gets the requirements and has to actually build in these types of password restrictions. Did you object? Does anyone recognize how absurd it is?

My bank (TD Canada) used to have this policy. Luckily it changed.

However, they didn't tell me (or anyone) so I've been telling everyone I know to update their password to be longer.

My bank enforces a six character limit and the passwords aren't even case sensitive. But, brace yourself to feel safe - they make me answer a security question (in this case, "What high school did you go to?"

They made a (record) four billion dollar profit last year, so this strikes me as security designed by someone with an MBA and a spreadsheet. I'd be upset, but, I've been stupid enough to keep doing business with them...

I believe this is to allow alternate inputs of data, like "fill in the 2nd, 5th and 6th character" or special keyboards in ATMs, like "Press the arrow that contains the 1st letter of your password"

But yeah, it's stupid

Very likely to be a legacy back-end system. Doesn't excuse it at all, but that's one I've seen limit banking systems in the past either in password length, complexity or case sensitivity (I've seen some systems automatically upcase passwords without telling you 'cause the back-end is case insensitive)

That could well be it. My bank enforces similar short passwords, but they're not such a big security risk since they lock the account after three mistakes, and require you to visit a branch in person to reactivate it.

I guess that means they're wide open to denial of service attacks, but that's another story.

> stored as a char(6)

Try PIC X(6).

Or they have a web front end that goes over to an old mainframe.

PCI compliance requires we change our login passwords every two months. This to me seems to just encourage users to create insecure passwords and sticky notes with them written down somewhere in/on their desk.

Put yourself in their shoes though. The people at the top don't really understand security, other than the vague "only the right people should have access to stuff" requirement.

I think the problem is that the people in charge of making decisions are gun-shy. Because of their inability to properly evaluate the security itself, it's also very difficult for them to properly evaluate people telling them what the security system should look like, and they've been burned by bad decisions in the past, so they take the "lalalala do nothing" approach and hope for the best. From their point of view, it's a perfectly reasonable approach to the problem.

maybe this loud PR thing will go up to the people in charge and stuff could be actually resolved at the root? Or maybe it will just be forbidden to tweet about internal policies in the future for security reasons, NSA cover style.

Thank you! I get amazed every time the internet freaks out because XYZ Company confirms "blah", when in reality, it's just a single service rep, who probably just wants to get you off of the phone.

As if blocking pasting actually stops brute force attachs... Can still just write a script that repeatedly makes those HTTP(S) requests. They accomplished nothing except annoy their more technically advanced users.

Do they think a brute force attack is done by someone copy-pasting in passwords?

The reason is irrelevant - there is no reason why you should do this.

Then they should clear the clipboard via JavaScript when submitting the login form, not prevent pasting of the password. Password managers are simply too much of a win to block.

Clearing the clipboard would be annoying for people who commonly copy a bunch of text out of a document, log in to their bank, and then paste the text somewhere else, but I suspect this is a rare workflow for most people.

I did work for a very security-minded HR outsourcing company on an html site to be used on a public kiosk and we also disabled paste via javascript for the same reason - to prevent a user from being able to paste in a previous user's password at the same terminal.

Good advice. On a public computer you really don't want people accidentally leaving their password in the cut buffer for the next user to find.

That was probably to prevent SQL injection, right?

The last bank backend I worked around was composed of several interacting systems, written 30 or 40 years ago in COBOL, which ran batch jobs overnight and communicated with each other by writing files to disk. We were strongly encouraged to get the format of the file exactly right, or the batch job in question wouldn't run and nobody would be able to sort it out until morning. Passwords weren't involved but, if they had been, I am quite sure they would have been stored verbatim.

So, two problems: multiple interacting systems, which means you can't just fix one, you have to fix all of them; and lots of legacy code. Versus: there would certainly be quite a lot of pain to implement a new system, and the old one appears to be working.

> ... stupid password requirements; max lengths ...

> ... if they are hashing the passwords in any form then it doesn't matter how long the password is ...

Max lengths aren't inherently stupid. Presumably no one thinks 250MB password submissions should be handled, so you will be picking some number (possibly imposed on you by your stack).

Well, it's not like my card is hooked up to the internet for everybody to try and log in.

PIN isn't particularly vulnerable to brute force anyway, as number of failed authorisation attempts is strictly limited to something like 3, and a fraudster has to risk capture by being physically present at each attempt or 'trying out' a stolen card, and having their face recorded on cameras.

I haven't seen any advantages for using 6-digit or larger "passwords" for that particular scenario. The largest practical security benefit seems to come from enforcing random PINs and not allowing to choose - since the banks that allow to choose are vulnerable to "dictionary attacks" of trying the user's birthday (obvious from other stuff in a stolen wallet) and stuff like 1234.

Now, checking "signature" instead of chip&pin, now that's an example of blind trust.

Cards are way different. They combine something you have (the card) with something you know (the PIN). After three false attempts to enter the PIN you have to unlock the card going a different route. In such a scenario, 4 digits are fine.

You can't lock accounts only protected by a password and accessible by anyone (via internet) this way as this would invite for Denial-of-Service attacks (locking your account with three failed attempts).

It's secured by a four digit password and self destruction after three consecutive invalid PIN entries. Which is plenty secure against brute force. Or is that just the way it works around here?

Mine is 10 digits. I thought the 4 digit limit was just a societal assumption? (I'm being serious, I thought it was (near) universally allowed to be longer, people just didn't bother.)

Is this not the case?

No, limited transactions on your bank-account are secured by a physical token (i.e., your debit card) and a 4 digit "password".

Your card is not a service to be secured, it's part of multiple layers of security (that don't end with the code or the card).

Losing passwords is bad because they get reused. 4-digit pin not so much, debit card is basically the only thing that uses it.

The standards allow for up to 12. Not that people always implement them properly, but that's what you're supposed to support if (like me at the moment) you make credit-card terminals.

You get contact-less now which doesn't need any pin at all, just tap the card on the machine and your purchase is complete.

Disabling pasting requires disabling JavaScript in a real end-user browser with an end-user who doesn't know how to un-disable pasting.

Never trust the client['s computer]. Disabling pasting is trusting the client's computer. Security in depth ends where the Internet starts.