Online banking not using case-sensitive passwords

[ternerito]

I thought case-sensitive passwords were the norm for years, apparently I was wrong.

This is my bank's credit card website (a major Canadian financial institution). I recently found out (by chance) that I could successfully login no matter the case of the letters I am typing.

To make the matter worse, this site only accept alphanumeric passwords. And they don't disclose it anywhere on their site.

I tried emailing them about this, but so far only got really uninformed answers. Apparently the rep is not even aware that this is happening. Just wanted to share this, and at the same time collect some opinions.

[JohnnyCanuck]

I'm with the TD and while the passwords are not case sensitive they do randomly hold up access to ask a security question (both with EasyWeb and with WebBroker).

[powerstream]

They're not case sensitive and never were. Your best protection is to change your password often and use totally random characters instead of actual words.

[ternerito]

@Johnny
In my case it's the mastercard / pcfinancial website. Sad to hear that that it's not the an isolated case. On their regular banking website the passwords are case-sensitive, so much for consistency. Never been aske a random security question either.

@power
What exactly 'never' had case-sensitive password? In most situation, the password is the only element you have to know, I think it should be as secure as possible.
In almost every online login I saw, the pwd was case-sensitive.\

Password are case-sensitive when you login to your OS (be thaht windows or linux based) and so for security reasons - it is safer. Why should we expect less from a banking website?

Your answer to memorize random characters is good in theory, but how many people do that? Personally I'm not good at memorizing "random" characters, and I doubt many people are either. Also, at least in my bank's case, the characters allowed are limited to letters and numbers, which further restricts the field.

[57]

Letters and numbers are usually adequate. If you have a password like "password", you can still make it passw0rd, which is easy to remember, but more difficult to hack.

[jwt873]

CIBC uses case sensitive passwords.

Just this morning I had trouble logging in to my credit card account. I couldn't do it.. I kept getting a "bad password/username" message. After several attempts, I I realized that I had left my caps lock on.

[gorilla]

Simply replacing digits for numbers does nothing significant to increase the security. All the password cracking programs have an option to do that, so you're only slowing down the process very slightly.

If you want to have a password which is hard to crack but easy to remember, then you can go for the initial letters of a phrase. For example

This Password Is Hard To Guess But Easy To Remember = TPIHTGBETR

Everyone can think of a phrase which they can remember, and therefore a password.

[Nuje]

Sure we can (remember a phrase and therefore a password); the problem comes in remembering which one goes with which site, and which one has been changed "this month", which one still has last month's (since you haven't been there recently), etc....

And then there's the issue with some sites requiring at least X number of characters, one of which must be a letter, or a number, or a non-number/non-character. I wish sites would provide you at the login what their parameters are for passwords, as I have set "words" for when a number/special character is necessary, or when a certain number of characters are required.

[ternerito]

@jwt
Again, lack of consistency (pcfinancial = CIBC).

@gorilla
you make a good point, still, you probably agree that having a case sensitive password will be stronger than a non case sensitive one, providing they both have been chosen in a similar manner

@nuje
yes, our (human) brain i just not very good at this task, computers are. :-) Luckily, there a few good programs out there that can store passwords for you (for instance password safe or roboform)

I guess my issues are:
1 - why use an inherently less secure method in what should be a highly secure process, in 2008
2 - inconsistency: pcfinancial uses one method on their banking website, and another on their credit card one
3 - last but not least, why don't they make their policy clear, both on their website (especially on the 'change password' form) and when questioned directly

Bruce Schneier has a very interesting blog on security. This article is on pwd harvesting, pwd strenght, etc. I guess that this post is what got me going in the first place.

http://www.schneier.com/blog/archive...o_harvest.html

[gorilla]

Yes, there is no doubt that a case sensitive password is harder to guess that a case sensitive one, however it's not much compared with choosing stronger passwords.

To put a quick mathematical bent on it.

A 1-8 letter single case password from a dictionary word = about 10,000-40,000 combinations, depending on how good your volcabulary is. Subsituting the digits increases those combinations, but not much. Say the average word has 1 letter which can be subsituted, then you're doubling it to 20,000 - 40,000 combinations.

If you allow all possible combinations of upper or lower case, then you'll increase this number by 2^8 or 256 more combinations. 40,000 * 256 = or 0.13 million.

A 8 letter password comprised of initials, all one case, works out to be about 20^8 (there are 26 letters, but you're not likely to come up with 8 q's). That's about 2 billion. Obviously much more secure.

However in the real world, most exploits come from one of two sources:

1) People sharing passwords with their friends, family etc.

2) Social engineering, where people are persuaded to give out their password.

In both of these cases, it doesn't matter how good the password is, it will still get compromised.