Because as per usual they don’t understand security. I have started choosing my bank based on software they have. If software looks competent, that’s my most significant influence.
They think rooted device = insecure device, but at the same time PC is even less secure and yet all the business users use them and more to the point have passwords written on a sticky note glued to the screen. My old bank at one point “upgraded” their software system and then started asking me for weird characters in password and then asked for maximum length which was the final sin I allowed them to commit. Left them that week.
Air Canada’s online account system required a 6 character password, which was secretly converted via T9 to 6 numbers on the back end, meaning “aaaaaa” and “bbbbbb” were effectively the same password, and this was only fixed in 2018
My personal theory is that it’s a remnant of an old system that was only accessible by phone (hence the 6 digit pin), and they simply grafted an online component on top of it
You’re better off with random different passwords for each service written on a sticky note than using the same password/email combofor multiple accounts.
I mean, you’re comparing very different scenarios.
If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.
If someone has access to your sticky note they have all your accounts.
I don’t think I’d call either of them better.
Of course, all this assumes no second auth factor.
If someone has access to your sticky note they’re already in your house, and that’s a bigger issue IMO… even from an itsec perspective, once the attacker has physical access to guarantee safety is difficult.
Because as per usual they don’t understand security. I have started choosing my bank based on software they have. If software looks competent, that’s my most significant influence.
They think rooted device = insecure device, but at the same time PC is even less secure and yet all the business users use them and more to the point have passwords written on a sticky note glued to the screen. My old bank at one point “upgraded” their software system and then started asking me for weird characters in password and then asked for maximum length which was the final sin I allowed them to commit. Left them that week.
My bank keeps their app up to date with all the latest anti-root stuff but allows passwords made of 5 digits. ¯\_(ツ)_/¯
Unless they’ve changed it very recently, Paypal still limits your password to 20 characters
Unless they’ve changed it very recently, Wells Fargo’s passwords are case insensitive
Air Canada’s online account system required a 6 character password, which was secretly converted via T9 to 6 numbers on the back end, meaning “aaaaaa” and “bbbbbb” were effectively the same password, and this was only fixed in 2018
That sounds like someone who topped out with highschool level programming tried to implement a hash algorithm.
My personal theory is that it’s a remnant of an old system that was only accessible by phone (hence the 6 digit pin), and they simply grafted an online component on top of it
You’re better off with random different passwords for each service written on a sticky note than using the same password/email combofor multiple accounts.
I mean, you’re comparing very different scenarios.
If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.
If someone has access to your sticky note they have all your accounts.
I don’t think I’d call either of them better.
Of course, all this assumes no second auth factor.
If someone has access to your sticky note they’re already in your house, and that’s a bigger issue IMO… even from an itsec perspective, once the attacker has physical access to guarantee safety is difficult.
But seriously, there’s a guy in your house.