Personal Finance

Banking solutions with weak passwords

  • Last Updated:
  • Oct 3rd, 2014 10:53 am
Tags:
None
[OP]
Deal Fanatic
User avatar
Jul 17, 2008
9570 posts
2442 upvotes

Banking solutions with weak passwords

Anyone else is concerned that some banking/credit union institutions have weak password requirements?

For example some banking/credit unions I deal with has passwords that accept only 8 characters (no more than that), or they don't accept any special symbols, just alphanumberic. For example ING (not sure how Tangerine is) was only 6 characters.

When I phoned one of these institutions which I often bank, they told me that unfortunately that's what their provider offers...

How do you guys feel about only being able to have passwords that are 6 or 8 character, and/or restrictive characters (only numberic, or alphanumeric, no special characters)
26 replies
Deal Fanatic
User avatar
Jun 3, 2006
8215 posts
3345 upvotes
Markham
It's to do with saving costs. Saving a 6-byte varchar or int is much cheaper than a longer string.
Deal Addict
Feb 2, 2011
1605 posts
258 upvotes
Ottawa
ToniCipriani wrote:
Oct 1st, 2014 1:23 pm
It's to do with saving costs. Saving a 6-byte varchar or int is much cheaper than a longer string.
Storage wise, it's not much different. I can't understand what "costs" they are talking about.
Deal Addict
User avatar
Jan 4, 2009
3780 posts
1618 upvotes
on the links
Messerschmitt wrote:
Oct 1st, 2014 1:20 pm
For example some banking/credit unions I deal with has passwords that accept only 8 characters (no more than that)
8?? I'd be happy with 8. Both my BMO and Tangerine accounts only have 6.

I think the most stringent one I had to pick recently was for my Costco Pharmacy account. They wanted upper case/lower case/special characters. It was exhausting trying to get my prescription filled, I needed to take drugs after that.
Deal Fanatic
Apr 24, 2006
6758 posts
627 upvotes
Toronto
_dc_ wrote:
Oct 1st, 2014 1:28 pm
The Globe and Mail: Why Canada’s banks have weaker passwords than Twitter or Google

"The banks are doing a very sophisticated tradeoff about how much security they want to pay for to keep the losses down to a level they can manage."
+1 for this.


TL;DR version:
If your account is compromised, the bank will give you back your money. It's less hassle to do that then it is to require complex passwords and have a soccer mom/hockey dad calling twice a week because they can't remember their complex password.
I Declare - The official guide to your Customs exemptions and item restrictions when returning to Canada from abroad.
Deal Fanatic
Mar 24, 2008
5714 posts
1827 upvotes
Toronto
ToniCipriani wrote:
Oct 1st, 2014 1:23 pm
It's to do with saving costs. Saving a 6-byte varchar or int is much cheaper than a longer string.
How so? The passwords are never stored in clear text anyways. Usually you create a message digest using a Cryptographic hash function and then store it in the DB. Storage wise, it hardly makes any difference.
Sr. Member
Nov 9, 2008
546 posts
100 upvotes
Ottawa
Messerschmitt wrote:
Oct 1st, 2014 1:20 pm
Anyone else is concerned that some banking/credit union institutions have weak password requirements?

For example some banking/credit unions I deal with has passwords that accept only 8 characters (no more than that), or they don't accept any special symbols, just alphanumberic. For example ING (not sure how Tangerine is) was only 6 characters.

When I phoned one of these institutions which I often bank, they told me that unfortunately that's what their provider offers...

How do you guys feel about only being able to have passwords that are 6 or 8 character, and/or restrictive characters (only numberic, or alphanumeric, no special characters)


what bugs me is the fact that equifax systems keep your password, secret answers and all info you entered in plain text form.

the agent i spoke to confirmed all the info for me.. i was shocked.. it's asking for someone to steal this info..wtf... no real security exeprts/programmers work there? i guess not.
Jr. Member
Jul 20, 2013
196 posts
20 upvotes
Messerschmitt wrote:
Oct 1st, 2014 1:20 pm
Anyone else is concerned that some banking/credit union institutions have weak password requirements?

For example some banking/credit unions I deal with has passwords that accept only 8 characters (no more than that), or they don't accept any special symbols, just alphanumberic. For example ING (not sure how Tangerine is) was only 6 characters.

When I phoned one of these institutions which I often bank, they told me that unfortunately that's what their provider offers...

How do you guys feel about only being able to have passwords that are 6 or 8 character, and/or restrictive characters (only numberic, or alphanumeric, no special characters)
The problem lies with MemberDirect. From what I comprehend, MemberDirect is a platform that is hosted by Central 1 Credit Union. You could just contact them and ask them if they have a plan in the works if they are going to move away from the PAC/PIN model and have a full username/strong password combination.

Then again they're probably using a language in the backend that isn't really that extensible.
Deal Fanatic
Mar 15, 2005
5316 posts
872 upvotes
ToniCipriani wrote:
Oct 1st, 2014 1:23 pm
It's to do with saving costs. Saving a 6-byte varchar or int is much cheaper than a longer string.
Irrelevant since the passwords are almost guaranteed to he salted or hashed into a much longer string anyway
Sr. Member
Oct 14, 2012
622 posts
336 upvotes
Woodstock
Some banks are using the same password for telephone banking and internet banking; that probably rules out the ability to use special characters and upper/lowercase letters. Letters already have to be converted back into numbers to enter on a (non-smart) phone. They might have to set up two types of passwords or something to deal with that issue.
Deal Fanatic
Mar 24, 2008
5714 posts
1827 upvotes
Toronto
Ziggy007 wrote:
Oct 1st, 2014 4:42 pm
Irrelevant since the passwords are almost guaranteed to he salted or hashed into a much longer string anyway
See post #8.
Sr. Member
Jan 25, 2007
925 posts
58 upvotes
Meh... passwords are typically stolen from Keylogging programs. Long stupid passwords actually stick out to the thief.

Top