Giving Clue of Password?

What do you think of this…

A friend of mine told me the other day that his bank gave out a hint of his Account Password.

Specifically, the customer service rep told him what his Password started with.

Is it just me, or is that an insanely stupid policy?

Debbie

Somehow I doubt that’s a corporate policy - probably a rep trying to be “helpful”. It’s probably even borderline illegal. I would suggest that your friend contact the bank and share his concerns, and remind them how much of a security breach they’re opening up if they’re giving hints on passwords with out authenticated identification procedures (like face to face communication with photo identification)

Here is the funny thing…

He complained to a manager, and the manager said, “That is the bank’s policy to give the first letter out as a hint.”

Crazy, right?

I’d be looking for a new bank…

I agree.

It’s sad that companies and Corporate America are so complacent when it comes to security… sigh

Debbie

There’s complacent and there’s reckless. That’s something my 11 year old would know not to do…

I’d be concerned that the password was stored in plaintext rather than hashed or encrypted. They should not be able to read off your stored password at all.

My bank has a sophisticated multi-part authentication system for the login online. That is rather common.
What really impresses me though, is that whenever I phone their Support, they transfer me to a Telephone Interface to the same authentication system. I am then transferred back to the representative and they have access to my account but never know my logon credentials!

I agree. The bank shouldn’t even know what your password is. That they do indicates that they have taken the completely wrong approach to password storage and it is only a matter of time before someone works out how to dump the entire account/password list.

The way they are storing passwords, a lot of people have access to find out what your password is and so could use it to access your account even if the entire list wasn’t broadcast to the world.

This was for my friend’s credit card.

I believe when you call in, and the Cust Service Rep asks for your “Account Password”…

In that case, the Reps obviously have to see it.

But why would the bank have a policy of giving you a hint like, “It starts with a ‘T’…”

That is insane!!

Debbie

Not necessarily – there’s no reason why they couldn’t use the same kind of password authentication system that you have when entering your password onto a website. They ask you for your password, you give them your password, they type it into their computer, magic happens, and the computer tells them whether the password was right or wrong. They don’t need to be able to see what your password is … while there is ostensibly no harm in them being able to see your password, given that you’re going to tell them what it is (hopefully!), the fact that it is stored in a readable plain text format means that it is potentially hackable. If it’s encrypted with a one-way hash so that all they can do is check that you’ve given a right or wrong password, that should be a whole lot safer and less open to naughtiness.

How about … because they recognise that most people have hundreds of passwords, and expecting you to remember which one you used on a service where you probably don’t have to give the password for years at a time is not necessarily a good strategy. Getting a hint like that could easily be enough to remind you which password you used, without being enough to allow someone else to guess it.

That idea has its merits.

I totally disagree on this one.

How would you like it if Amazon.com or Gmail displayed a message saying, “You account password begins with ‘T’…” ?? :eek:

No way!

Why not do what you have online and have “Challenge Questions”?

Or why not make it so people can key in their responses without the Rep seeing anything? (Not sure if you would have collisions if you used your phone keypad to type in things like 'Grand Canyon"…)

Sincerely,

Debbie

I totally agree with Steve; there needs to be some way to interact with the staff to prove who you are on the phone. My bank asks me things like what is the second letter of your password etc. but it was only a couple of years ago that they wanted mothers maiden name etc.

I had a problem once and the guy on the other end of the phone gave me a hint and I remembered the password straight away.

I wonder how many words and names there are in the English language alone that start with for instance T? I think the member of staff you are talking to might suspect you do not know the pass word after a couple of mistakes.

Perhaps you could give the bank your telephone number to keep on file and they could phone you and give you a new password if you forget it :wink:

I never give my passwords out. If I have to verify an account by giving a password over the phone I would certainly not do that. What’s stopping the person from recording or remembering my password and getting into my account later?

Or, what about those kinds of people who use the same password for everything? It’s easy enough to find out if a person has accounts anywhere else, and use the recorded/remembered password somewhere else.

Giving out a password over the phone is not a secure method. The password is therefore no longer secure.

A better method is being able to choose some sort of pin number (of an appropriate length) that is only accessible by logging into your account. Then you can give that number to the phone rep to verify. No need to give up your password.

Agreed.

Yep!

Yep.

You lost me on this one… :-/

Debbie

Namecheap, godaddy, surpasshosting, and hostdime all do this (if you are familiar with any of them).

It’s like I explained–there is a pin number stored in your account settings. Then, while on a phone call, you give your name, account number, and this custom pin to the support rep, which verifies you as the owner of the account.

Let’s not forget that the person to whom you are speaking already has complete access to your account anyway. They really don’t need your password to mess with your affairs. Hopefully, there is a solid logging process to audit who did what when.

Now THAT is a real problem. Of course, I could argue that it is a people problem and not a “technical” one.

I actually wrote a blog post on this subject almost a year ago (my VPS was hacked and I recently reinstated my personal blog using [URL=“http://ghost.org”]Ghost).

Sorry, but I’m still not sure I follow you…

Are you saying that if a person is able to successfully log in to their online account and get the PIN, that have been sufficiently authenticated so that when they give the PIN to the phone rep, it proves they are the rightful account holder, but that the phone rep knowing the PIN is okay?

But what is the difference between the Rep seeing your password and seeing your PIN in plain-text?

There is no difference!


BTW, to rewind for a second…

At the beginning of this thread, I stated that my friend called his bank about his credit card, and the phone rep gave out the first letter of his password.

I think that is a bad idea, and several people here agree with that.

But as far as it being a bad idea that the phone rep can see your password in plain-text, I have to ask this…

Most banking phone reps can see:
1.) Full Name
2.) Billing Address
3.) Last 4 of your SSN
4.) DOB
5.) Mother’s Maiden Name (maybe)
6.) Other sensitive info

All of that is displayed in plain-text on their screens as well.

If you, or whoever brought it up, thinks that letting a phone rep see your “password” in plain-text is a bad idea, then by that logic, a phone rep shouldn’t be able to see things like #3 - #6, right?

And to your point above, they should not be able to see your PIN.

See the contradiction?

All of this security stuff is a trade-off, I suppose. But what caught my attention, what the fact that a phone rep would help you figure out what your “secret code” is?!

I trust that a banking phone rep has been properly vetted, and so they have to be able to see some of your private info. But to give out that info to someone who has not been authenticated - or who even has been authenticated - is a horrible idea.

It’s one thing to say, “You secret code is your pet’s name” and quite another to say, “Your password begins with a ‘T’…”

Anyways, this is an interesting discussion! :slight_smile:

Sincerely,

Debbie

One big thing to remember is banks have been using account passwords since they were counting with abacuses and recording the books on clay tablets. The security there isn’t so much provided by strong locks but rather by policies and procedures precluding the possibility of ongoing fraud. Everything is recorded multiple times in multiple ways by multiple people and reconciled.

Now, years ago you only needed a password to deal with your bank or your broker so the whole “oh that CSR now has my password to my facebook” angle wasn’t prevalent in years past. But your money is much safer with the bank than with most other institutions as they have strong rules and traditions making it so.

Every situation where passwords have been stolen - either from a bank or some other company - it has only been possible because they store the password in plain text.

Hashing passwords provides two benefits - first there is no plain text copy to be stolen and second there is no limit on how long someone’s password can be as all hash to the same length.

Anywhere that can either provide hints as to your password or which limits password length is storing them as plain text and so the passwords can and eventually will be stolen.

Even having other sites that store passwords as plain text lessens the security of banks when people are silly enough to use the same password for both sites.