Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

    • nocturne@sopuli.xyz
      link
      fedilink
      arrow-up
      7
      ·
      3 months ago

      Mine does not allow spaces. They used to use a 4 digit pin as 2FA. Not a new pin you got every time you logged in, the same 4 digit pin.

    • cynar@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      3 months ago

      A lot of bank computing is a complete clusterf@#k. Getting even basic changes and bug fixes requires it being signed off on by various regulators and committees. Apparently, 18 months for a 1 line change is normal. This has ended up with layers of new work being frankensteined onto older systems. E.g. Internet banking, for a long time, physically printed checks, via an automated machine, posted them, and then had them read in, via an automated machine. Hence why Internet bank transfers took 2-3 days.

      I had issues with my banks truncating my password a while back. It only looked at the first 8 characters.

    • AlecSadler@sh.itjust.works
      link
      fedilink
      arrow-up
      1
      ·
      3 months ago

      One of my past banks used to be case-insensitive. They aren’t anymore (as far as I know). Their name starts with Key and ends with Bank.

      • ChickenLadyLovesLife@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        My bank got busted a few years ago for cheating customers using their coin-counting machines. Literally nickel-and-dimed their own customers. They removed the machines and just threw loose cloth over the empty spaces - an ongoing testament to their shame, if they could feel shame, which they can’t. Out of sheer laziness I’m still with them.

        • SkunkWorkz@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          3 months ago

          In my country all banks just use, instead of a username, the IBAN plus bank card serial number and they give their clients a hardware token that generates one time passwords. The client inserts their bank card into the hardware token then enter their PIN and gets the OTP to login. And when the client wants to make a transfer the bank generates a code that the client has to enter into the hardware token after entering their PIN to generate an OTP which the client uses to confirm the transfer. And if the client has the bank app installed on their phone the bank website generates a QR code which the client can scan with the app and then the client can login with their biometrics. Of course the client has to activate the app with the hardware token first.

          This isn’t that much different from a username, password plus 2FA. But this way it takes out the weakness that is the client. This prevents the client from using an easy password or use a username and password that they use everywhere else. Old people don’t write down their password anywhere since there is no password. But they know their PIN by heart since they use it all their life. And it doesn’t rely on apps or SMS for 2FA. So people without a smartphone or even a mobile phone can still use it. Keyloggers are useless since the PIN is entered on the hardware token. Sure a sophisticated con is still possible but thefts like these https://appleinsider.com/articles/23/12/20/how-a-brazen-passcode-thief-used-stolen-iphones-to-rob-2-million where the thieves can drain a bank account if they just steal the phone and phone’s passcode and reset the 2FA are impossible.

          The biggest weakness is ofcourse that if someone knows your PIN and obtains your bank card they can enter your bank account online. So the same security measure still applies with this that you should open a savings account at a different bank than your checking account.

          • smeg@feddit.uk
            link
            fedilink
            English
            arrow-up
            1
            ·
            3 months ago

            I’ve seen plenty of UK banks use these card readers to authenticate transfers, but never just to log in

            The biggest weakness is ofcourse that if someone knows your PIN and obtains your bank card they can enter your bank account online

            So essentially it is 2FA, but the password is short enough to brute-force?

              • smeg@feddit.uk
                link
                fedilink
                English
                arrow-up
                1
                ·
                3 months ago

                I assumed as the card readers and cards are both offline devices they wouldn’t have a way to do this, are card blocks local in general?

                • SkunkWorkz@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  3 months ago

                  Modern cards have a chip inside them that’s basically a very tiny computer. It can check how many times the pin was incorrect.

                  • smeg@feddit.uk
                    link
                    fedilink
                    English
                    arrow-up
                    1
                    ·
                    3 months ago

                    That’s pretty cool. I wonder what (if any) tinkering you can do with a card if you’ve got physical access and some very precise tools.