What is wrong with banks asking to make passwords i cant remember

Discussion in 'General Talk' started by RakaKaKaka, Apr 14, 2019.

  1. RakaKaKaka

    RakaKaKaka Well-Known Member
    Adept

    They force one to use upper and lower cases, numbers, minimum 8 words, symbols and egyptian hieroglyphs for every password. And every few months you are supposed to make a new one and cant even use the older passwords. How exactly is this secure when one is bound to note it on a paper or somewhere which can easily land in wrong hands. Few wrong attempts and one gets those captchas that look like modern art and leave it to users to intrpret.

    If its my money i should be allowed to use pass123 or whatever i wish to. Every time i need to reset passwords to login.
     
  2. nRiTeCh

    nRiTeCh If you can see the green dot, I'm online ;-)
    Veteran

    Which bank?
    Usually its a mandatory policy.
    Using of old pwds is restricted as your pwds might be known to your family friends wife gf etc.

    My sbi pw is not changed ever since year 2k5 when I opened my account. It kept prompting me to change until few yrs ago it actually gave up as I refrained from changing my pw.:D Though it wasn't a mandate unlike other banks especially hdfc where you are unable to proceed further to a successful login unless you change the pw.

    Same with Axis & ICICI. Using same pwds since many yrs now.

    Only when I login through app they ask to change the login pin every 6 months and I can't use last 6 pins.

    So I have already made a list of pins to use using some common combinations so as to memorize them in case.
     
    #2 nRiTeCh, Apr 14, 2019
    Last edited: Apr 14, 2019
  3. 6pack

    6pack Well-Known Member
    ex-Mod

    I use KeepassX (on linux) to generate and keep log of password expiry. You can set password to expire in x days and it will crossout the name. I just add all the websites with login id and passwords into one root account in keepassx and save them with just one master password as a 256bit encrypted kdbx file. This file can then be copied to android and opened in an app Keepass2Android Offline and you can see the passwords etc in the android app if you just put in the master password.

    All these password managers have a random password generate function which you can use to generate such 15 day or 1 month passwords.

    For windows and mac i think its keepassxc. There is an exe or standalone portable version in a zip file.

    KeepassXC - https://keepassxc.org/download/

    Keepass2AndroidOffline - https://play.google.com/store/apps/details?id=keepass2android.keepass2android_nonet
     
    ch@ts likes this.
  4. OP
    OP
    RakaKaKaka

    RakaKaKaka Well-Known Member
    Adept

    HDFC and Yes gbank. Both are tormenting me every few weeks
     
  5. nRiTeCh

    nRiTeCh If you can see the green dot, I'm online ;-)
    Veteran

    Every week? You kidding? Its quarterly.
    Also the most sucky thing is LastPass doesn't work on these 2 banks.
     
  6. blr_p

    blr_p Well-Known Member
    Veteran

    haha, i thought the same thing

    If the bank finds out you did that they will refuse any claim in case of fraud.

    They want to protect themselves
     
  7. mathrisk

    mathrisk .: deleted :.
    Adept

    Strategy I follow, I have some specific password, that I can remember (satisfying all conditions), to which I add the month+year at the end.
    Like [P@ssw0rd@0419] which for next month [P@ssw0rd@0519]
    Never repeats, easy to remember, easy to backtrace if any month is missed.
     
  8. OP
    OP
    RakaKaKaka

    RakaKaKaka Well-Known Member
    Adept

    Strategy is nice. I will use it too. Since they change passowrds every 2 months il do same by adding month in end. like Securefinance*01
     
  9. Sands

    Sands Member
    Disciple

    It's ur money right, But if someone hacks into your account and fly away with your money you will blame it on bank, Right ? That's one of the reason they ask you to use strong password.
     
  10. OP
    OP
    RakaKaKaka

    RakaKaKaka Well-Known Member
    Adept

    how exactly does a strong password help ? surely all their dbs are highly encrypted that whatever password i use does not even matter right. When i can use a simple word as password on google and noone has ever been able to hack that yet why do the banks do so ? Issue isnt a stronger password but making users use a password they cant even memorise is. People have to depend on either old fashioned pen and paper to store them or use some online service which manages it. Both are the weaker links than having the user memorise the password.
     
  11. nRiTeCh

    nRiTeCh If you can see the green dot, I'm online ;-)
    Veteran

    Ok then lets do one trial. Set your password to abcd1234 and post here or in public with your login id. Lets see what happens at the very next minute.
    I will answer your query after that.
     
  12. OP
    OP
    RakaKaKaka

    RakaKaKaka Well-Known Member
    Adept

    My techenclave and gmail one is a password veryy similar to that.
     
  13. Sands

    Sands Member
    Disciple

    No point discussing this with a guy who comes with a thread like this, Tells the exact state of ur mind. Take care.
     
  14. mathrisk

    mathrisk .: deleted :.
    Adept

    I suppose, what OP's logic is, even if we set a relatively less complex password, which can be easily(!) cracked via brute force, but most online services normally lock down the account in case of 3 or 5 incorrect attempts, hence kind of safe to use.

    Btw, why don't banks implement 2-factor auth. Or does any ?
    Our social media, spam mails are safe with 2FA, bank relies on 4 digit PIN (UPI, ICICI app). :D
     
    RakaKaKaka likes this.
  15. Lord Nemesis

    Lord Nemesis Overlord
    Veteran

    Overzealous security/password policies tend to be counter productive. There are studies and reports on it.

    The tendency of programmer when pressured to implement over zealous security policies is to lose sight of the actual goal while focusing on adding layers and complexity that serve no real purpose while also possibly introducing some loop holes.

    The tendency of users in the wake of over zealous password policies is to chose the weakest passwords that comply with the policy.

    abcd@1234, abcd@2345, bcde@1234, bcde@2345 etc are examples of a passwords chosen by users when a password policy requires alpha numeric and symbols and prevents recycling. And guess what, majority of users would be using the same set of passwords as well. If I were brute forcing a system with such user unfriendly policies, I know that all users would be using passwords form the same weak pool and target those fist. I might even be lucky enough to break a bunch of them at once.

    Read this some where in the wild, but it its totally true.

    Security at the expense of usability, comes at the expense of security.

    Its far better to to have a password policy that lets users chose a set of unique, but strong passwords and keep recycling them.
     
    RakaKaKaka likes this.
  16. nRiTeCh

    nRiTeCh If you can see the green dot, I'm online ;-)
    Veteran

    Users are lazy and they seldom know what is a Strong password hence banks or any such authority forces to use complexities. Now even in these complexities if the user chooses to use anil@21031980 his name and birthdate then god save him. They never read the disclaimer as well what words or characters are to be avoided when creating a strong password.
    Another eg: sapna@meriJaan, januil0v3you. These passwords are already known by their gfs bfs or friends.
    So rip complexities and rip the user when they come crying stating their password were Too Strong to break. Really?
     
  17. Lord Nemesis

    Lord Nemesis Overlord
    Veteran

    Many banks have policies that prevent users from using parts of their name in the password.

    Asking user to choose a password with alphanumeric and symbol combination is also fine. The problem starts with expiry and recycling restrictions. That is what forces users to chose weak passwords.

    As far as symbols go, I can guarantee that in most passwords, it would be among @, $ and #. so, its up to the alphanumeric part of the password. The more restrictive the policy is, the more simple the pattern used will be.

    It is far worse for the system to have a bunch of users using the same pool of passwords than using more unique passwords for far longer period.

    Here is an interesting piece on analysis of 10 million passwords.

    https://wpengine.com/unmasked/
     
  18. OP
    OP
    RakaKaKaka

    RakaKaKaka Well-Known Member
    Adept

    But when brute force does not work how will be a weak password be compromised? That can be done only if the bank was storing the passwords in a weak unencrypted hash and some hacker managed to hack into the banks systems. So how will it be the users fault ?

    Also due to this people are forced to use one password for many services which is not recommended or use a password manager which if compromised leads to loss of everything.
     
  19. nRiTeCh

    nRiTeCh If you can see the green dot, I'm online ;-)
    Veteran

    I myself used to use a single complex password across all services be it simple portal, emails, banks or enterprise logins. And it worked great for all these years as I use LastPass. But last year when heard that LastPass was compromised the first thing I did was changed all banking passwords to a very complex level. Then changed my LastPass password to another level. Then email ids and finally forum, the least bothered.
    Now the issue is I only recall my regular forum passwords but noway I'm able to memorize any banking or even my LastPass password.
    Else life was too easy for me even with complex passwords before I recently changed them all.
     
  20. Futureized

    Futureized Well-Known Member
    Adept

    I can save each and every site, though how much tough combination is.
    (try to save it manually)

    And when you open the target site, click on lastpass icon in browser (if on desktop) and click autofill, works like a charm.
    Except for sites which also require captcha or sms or any third party combinations
     
  21. nRiTeCh

    nRiTeCh If you can see the green dot, I'm online ;-)
    Veteran

    I'm already aware about that but it no longer works for Sbi, yes and hdfc and few more.
    LP doesn't fill Sbi fields at all.
    For Yes bank it will ask for LP master password and yet fails.
    Hdfc, it will simply fill-up all the fields yes hdfc itself will reject login using those populated fields as they sense it is coming from some password manager.
    Same goes for irctc too now a days.
    All these sites have curbed the use of lastpass or other managers.
     

Share This Page