WTAF?
you can add extra characters to your password and it's still accepted?
a) no, that's not how passwords are supposed to work
b) no, you're storing the passwords
(not just wrong, but you're storing them in the first place)
c) you're not hashing them?
d) YOU ARE A F**KING BANK!
@evistre - Troy Hunt was CC'd on this - I'm pretty sure he'll get some good publicity for them.
@0x56 what the hell "not a security risk" ๐ฌ
@0x56 What is HSBC an
acronym for?
@tmbrown327 - Hong Kong and Shanghai Banking Corp.
@0x56 Yeah, I always just shorten that to the bank of China, and that limits my exposure to them pretty drastically.
@0x56 ๐ฃ
Recently heard about a certain bank sending their clients an email newsletter with a link to log into their online banking embedded in it. ๐ wtaf
@jordicusmaximus - I .... no..
@0x56 so at that bank, passwords are like phone numbers... once you get the first few right, it doesn't matter how many you punch in afterwards.. its already open.
@Bemet_Or - pretty much.
@0x56 hmmmm weird.
that shouldn't be how it works for PW's I agree.
Claire sounds like she's just following orders on what to say, cuz to me that is a flaw.
@Bemet_Or - oh she is, don't blame the messenger... But a password should _never_ be stored, it should be hashed (1 way encryption)
so "abc" would be hashed to something like
"ab98f80e7f3a9b"
but "abcd" would be hashed to something like
"9f02c756a37e1"
there's no correlation to compare partial passwords against.
The reason for this is if the database is compromised, there's no way of getting those passwords out.
@0x56 I store passwords- yeah- in the strongest computer in the world- my brain.
@AkomoCombine - but are you also a bank sever handling tends of thousands of customers and billions of Euros and hundreds of log ins per hour?
@0x56 Need a solution then. most people do not keep complex passwords to begin with
@AkomoCombine - I'm taking server side password handling/authentication. There are plenty of solutions there. My personal favorite is bcrypt with a constantly rotating salt, but others exist to varying degrees of effectiveness.
As far as you, as a consumer, I'd suggest a password manager which will generate complex passwords for you and save them in either a symetric or asymmetric encrypted format (depending on your own personal use case)
@0x56 That would work- ill have to try it out and see- thanks!
@AkomoCombine - I like LastPass if you're a family, 1password for a single user multi device, or keepass for a single user/single device
@0x56 Yeah definitely interested since I need to teach this to my kids. They will know how the internet works and how to defend themselves from virtual attack
@AkomoCombine - this will just delay an attack. If you can get @White_Rabbit to come out of his rabbit hole, he may be able to teach you how to teach them to defend themselves.
@0x56 Press time?