Slashdot Mirror
Why Gmail Has Better Security Than Your Bank
Gizmodo gives some insight to a strange situation that many of us have -- at least in the U.S. -- when it comes to online security: Gmail, while free, offers two-factor authentication, while many banks don't use security tools that would make online financial transactions safer, contenting themselves with single-factor, weak password systems, or lackluster secondary screens. It's certainly true at one bank I use, which even now allows short, all-alphabetical, all lower-case passwords. U.S. banks could certainly use multi-factor authentication, and some do, but it's nothing like universal.
Simple solution: name names and vote with your feet.
"I don't know, therefore Aliens" Wafflebox1
max password of 6 alphanumeric password, no special characters allowed. Fucking lunacy, and I remind them of it at least a couple of times per year.
Contrary to the popular geek mythology about space, it was actually banks and businesses that started using computers massively. The only reason NASA could buy mainframes from IBM in the 1960s is because International BUSINESS Machines already had a huge market. Note the lack of an International Space Machines company.
Anyhow, banks are also conservative.
Google is an IT company at the cutting edge of technology. Banks have an aging IT team working mainly on administrative tasks.
Slashdot, fix the reply notifications... You won't get away with it...
Your bank may have less secure login methods than gmail, but Google doesn't have access to your bank account.
...my bank doesn't read my e-mail and track everything I do online.
any banks that actually have a gpg key published?
After all, the flexibility to use you own tools and end up with secure communications beats cookie-cutter websites with the latest in tech-wiz sekoority gizmogadgetry that might change along with every other fad.
True but my phone is locked with a passcode/ touchid. (iPhone not android)
And you still Need to access the mini keypass file manually.
i thought once I was found, but it was only a dream.
http://classic.slashdot.org/story/14/12/23/1352253
Is there anything worth saying about this topic that wasn't covered in last month's discussion?
Not having any idea of the actual reasons behind these decisions, I'm going to pull a possibility out my... out of thin air.
Is it because their liability would increase dramatically if they implemented a more secure system and it still somehow gets compromised?
There's a very simple reason for this. Banks have bought themselves protection from any liability if your info is stolen.
All of our e-banking and credit laws are written so that the banks and credit-card companies get all the benefits of easy credit (issuing new cards), but all of the risks of this ease have been pushed to the owners of the identity. Thus, banks and merchants will issue you credit, and accept cards, with little to no verification (insisted upon by Visa), and if someone uses a stolen card with your name, that's your problem, not theirs. You have to _prove_ that you didn't buy that item, or else you're on the hook.
The day they move 100% of the responsibility for identity breaches onto the banks, merchants and credit brokers, you'll find them suddenly discovering "innovative security solutions" to protect themselves. Because the alternative is not being able to offer credit, and therefore grinding the economy to a standstill.
I really wanted to read "why gmail has better security than your bank," as in, what are the motivating factors that led to this situation? This article explains how they are less secure but not why.
I have accounts with both types of banks. My German bank doesn't allow passwords over 5 characters or with special characters. At least it's upper- and lowercase.
My Swiss bank gives out an RSA token to everyone. But also restricts passwords to 8 characters.
Both the software and hardware available for small devices from phones to access panels to laptops now allow east use of biometrics.
I predict banks and other online merchants will quickly move to biometrics, or face financial ruin. Biometrics can now be based on not just a single factor because we have video. Thus a video of a person who moves closer to his camera can identify first the facial features, then voice & ultimately iris, so you can't fake a person with a simple high res. photo.
Fingerprint readers have been criticized as being able to be circumvented, but they will likely soon have temperature/electrical signal sensing to detect a live finger. We're ramping up sensing.
Between eyes, voice, nose, ears, face and fingerprints, we can identify people 100%. Even if we only get to 99.9% identification we can likely destroy the viability of hacking for account access.
I signed up for a Citi credit card about a year ago, then found out after the fact that not only do they allow short basic passwords, but they MANDATE them. You cannot have any special character at *all* in your password. I called them on this and they told me that they had just made the change in order to "improve security". Even better, the change happened as I was initially setting up my account, so the first form I filled out let me put in a proper password because it hadn't been crippled yet, then the actual login page kicked me out after that saying my password was invalid. I had to call them up and fight through getting my password reset, then hope that the password I created through the form that still didn't check their new rules would actually let me log in.
There's got to be a way to report these outright failures to some kind of regulatory body, and force them to fix these things. I'm just worried that there might not *be* a regulatory body for this....
On the other extreme, I found myself having to "generate a password" for Guild Wars 2, who take http://xkcd.com/936/ as gospel and created a 4-word passphrase for me. Compound this with the fact that they kick out "any password used by you or anybody else *ever*" as a password change, which makes it absolutely clear that they store all passwords in plaintext, and I'm not really impressed with those jokers either.
GStreamer - The only way to stream!
My bank in the United States of America uses 2 factor authentication. What are you talking about? If I attempt to access my account, the bank will call me with a verification code that I need to enter at the login page.
I was actually locked out of my account because I had issues with my landline and I wasn't able to receive the code. I had to go to an ATM to check my balance in my checking account.
Banks are secure because they lock your account when you fail to log in ~three consecutive times. Doesn't matter over what time period or what IP address you are using.
This is rather aggressive; somebody can lock your account with knowledge of your username, but it makes sense. One trick I use: my financial usernames are rather passwordlike (in that you're not going to guess them easily).
Use my userscript to add story images to Slashdot. There's no going back.
the simple fact is that banks dont face consequences for lapses in security, not like google. Customers dont or cant lose trust in many banks because theyre just too big to fail. Banks also either never report fraud, never admit fault to hacking, or never admit the scope and impact of an incident fully enough for people to make an objective assessment of the situation. Banks are FDIC insured, and cardholders rarely lose money during fraudulent access that isnt remunerated by the financial institution. for every account google loses to a hacker or botnet, customers will lose a little trust and the system will function less efficiently. Google faces the real possibility of an exodus if a large breech of security takes place because theres no real inconvenience to pick a new email address. In contrast, banks are structured such that leaving one is practically impossible. You need to be present on their specific banking hours. you need to talk to a branch manager to close an account (but not to open one) and that branch manager will go to great lengths to stall you with offers you never asked for. finally you need to pick a new bank, handle direct deposit, checking, credit cards, and a whole host of other services that have been intentionally made disruptive in order to prevent you from having any real market choice.
Good people go to bed earlier.
Because banks have insurance against these losses, while Google doesn't. Next question.
http://economictimes.indiatime...
We are talking about two specific factors here. Something you know (password) and something "you" have (phone). The gotcha here is that smartphones are not out of band and "you" are not necessariliy the only person who "has" it (if a bad actor has a presence on your device or the network it talks to). If this were a dumb phone, then SMS is out of band in the sense you are potentially using two carriers (Internet and telco network). Unfortunately, the phone is really a weak link.
Sure there are smart ways to make the phone more resillient, but we know vendors don't patch often and users install all sorts of nonssense and self pollute. So generally, the phone is not safe even if specific people might figure out ways to be safe. Heck even the blackphone had problems and that's what they sell it for. A better second factor is a fob which is truly out of band (only one person can have it).
This is more like one factor plus. Even google calls it two step (and not two factor). Obviously people might want to use it, but I wouldn't see it as much protection for money.
The same goes for every e-mail provider. Email account access is the crown jewel of online identity, because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.
If you're using a short, weak password and not using two-factor on your e-mail because "it's only e-mail"... please think about what other accounts use that e-mail address as their password reset mechanism.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
It's certainly true at one bank I use, which even now allows short, all-alphabetical, all lower-case passwords.
That isn't really the point. The point is: Do they allow more complex passwords? If so, then take advantage of that. If not, then there's a problem. Do you want to legislate / mandate more complex passwords? This is 'Murrica son, where even the Measles vaccine is optional. Why should banking security be mandatory. Let the "free market" decide. [ Now even I can't tell if I'm being serious or sarcastic - sigh. ]
As a side note on the issue of regulatory reform, Senator Thom Tillis (R-N.C.) says restaurant employees shouldn’t be required to wash their hands:
“As a matter of fact I think this is one where I think I can illustrate the point,” he recalled telling her. “I don’t have any problem with Starbucks if they choose to opt out of this policy as long as they post a sign that says we don’t require our employees to wash their hands after leaving the restroom. The market will take care of that. It’s one example.” (Is requiring a sign not a regulation?)
So, as Jon Stewart pointed out, the Senator is in favor of *not* requiring the sign "Employees must wash their hands..." as long as establishments post a sign saying, "Employees do not have to wash their hands..." -- and by the time the "free market takes care of it" we're all suffering from Cholera ...
It must have been something you assimilated. . . .
Banks are ran by assholes.
They do not care about your security or your money. Without federal regulation forcing it they will never do it on their own as it will dip into the record breaking profits they make every single month.
We need to go back to heavy bank regulation and forcing banks to do the right thing.
Do not look at laser with remaining good eye.
BoA has a really cool two-factor device. They put an RSA key generator in a credit card-sized device. I got mine for $10, it works great, and it's in my wallet with me all the time. They also offer text message two-factor, which I use as a backup to the RSA card.
MAXIMUM of 8 characters
That's not true at all; my password for Wells Fargo is 12 characters, and rejects if I try just the first 8.
You're not wrong that their minimum standard is weak, though. And I'm not sure about case-sensitivity.
Populus vult decipi, ergo decipiatur...
"Force shits upon Reason's back." - Poor Richard's Almanac
Charles Schwab has a *maximum* of 8 character passwords and have had the same for 15-20 years!
Passwords: We maintain strict rules to help prevent others from guessing your password, and recommend that you change your password periodically. Your password must meet the following criteria:
6-8 characters long
Include both letters and numbers
Include at least one number between the first and last character
http://www.schwab.com/public/s...
Not true, my wells fargo password is way more complex then that.
When I started using Google's 2-factor authentication, I admit, it was tedious, but it pays dividends in peace of mind, and how!
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
albeit on the investment banking side, where security can be a bit less tight. I have worked at several very large, well known banks. In all cases I found the banks to be in an identity crisis - they are in effect technology companies, but they see themselves as financial companies, and this affects their behvior from top to bottom.
There is a way to fix this - require the banks to buy, not build their IT solutions. In this case the banks can focus on their business, and a clutch of software companies can focus on making great software products for banking.
I just verified that:
Your password must be 6 to 14 characters and contain at least one letter and one number. It cannot contain nine or more numbers. You may also use special characters such as @, %, &, #).
Someone who knew grammar, evidently.
While Timothy's first sentence is, by some standards, long, and, moreover, interspersed with many appositives and subordinate clauses, which collectively may, depending on the reader's tastes and background, render it unwieldy, and even disgusting to those who like their thoughts in twitter-length bites, it nevertheless has this virtue: when analyzed by diagram, it does in fact appear to be properly constructed, at least within the limits of grammatical freedom that even the most rigid critics of English have come to respect, those limits having been established in indulgence of the liberties taken by the finest authors ever to have set pen to paper, among whom we may number, as an example particularly apt to such a case, Samuel Johnson.
I use a short, all-alphabetical password on google.
And the first time a bank gets hacked, everyone's fingerprints are public.
Not to mention that detecting a live finger is meaningless if you're depending on remote systems not to lie to you.
Except he's writing a slashdot post, not a Douglas Adams' novel.
When reporting news, succinctness is a virtue.
That was beautiful.
I saw the Sign, and it opened up my eyes
Customers don't choose one bank over another based on how secure the bank is. Customers (typically) chose based on convenience.
More secure often means less convenient, so banks have a direct disincentive to beef up security.
Until that changes, regulation is basically the only option to get the banks to play ball.
I can't sue google if my information is stolen. My google products are not insured by my government. My bank account, however, has a huge paper-trail, and is insured, and I can sue my bank.
It's not about access security; it's about content security. My bank has more content security. It doesn't need access security -- that's just to reduce the number of times we need to go through the content recovery procedures.
I've been doing 2 factor authentication with my Swiss bank for free for at least 12 years, I think 15 actually. And they massively overhauled the system ~8 years ago by freely upgrading each bank card with one that incorporates a crypto chip, to operate with a freely distributed card reader (like a small calculator) that computes a one-time password from a random number on the website (after initial user/password authentication with https) then I report that OTP into the bank website to get logged in. So it's hardware security since the one-time password is protected by the chip of my bank card, and the PIN code.
If you don't believe me, click this english language link:
https://www.postfinance.ch/help/desktop/en/efin/allgemein/login.html?WT.ac=_techshortcut_efinancehelploginen
It seems to me that, unless the bank REQUIRES use of short, all-alphabetical, all lower-case passwords, it's not really the bank that is insecure. Instead, it's how the individual is using the available security which is insecure.
Why Gmail Has Better Security Than Your Bank
Alright, just stop with the "your" headlines. They just sound so condescending, as if the author knows everything about everyone.
Which they don't, clearly, since my bank, like those of many other posters above, has two-factor auth. They sent me - free, without having to be asked, and presumably all their internet-enabled account holders have one - a little gizmo into which I put a number and it gives me back another number to be entered on the website.
That said, I'd rather have a username instead of "IB[10 digits]", and I'd rather just be asked for a password instead of "the name of the street you grew up on." The latter, certainly, would seem at first glance to less secure than asking for a generic password.
systemd is Roko's Basilisk.
US banks.... In India you have three factor authentication. Login Password/Transaction Password & Debit Card Grid Authentication and some times mobile OTP authentication for any suspicious or large transactions.
I think you're unclear on what multi-factor authentication is and how it works, so here:
there are 3 authentication factors, something you know (password, pin code), something you have (debit card, cell phone), something you are (biometrics). The something you have factor is always vulnerable to theft, that doesn't make 2 factor authentication bad in any way it's a good thing in some ways, you're likely to notice your phone is missing, whereas you'll have no way of knowing if someone were to guess your password.
Younger techno-savvy people seem to assume that the mobile phone is the natural 2nd factor, or barring that the user will be willing to carry around some other type of device. Most of a bank's preferred customers (ie: those who move large amounts of $$ through their bank) do not revolve their life around gadgets. Hence you have banks catering to their most profitable customers which is why you do not see many technically-savvy multi-factor authentication schemes.
In other words - money speaks, and the people talking about this stuff don't typically have enough money to merit a seat at the table.
From a British perspective, this all seems.... odd. Barclays and First Direct both use one-time time-limited two-factor authentication with the codes sent to special devices, and have done for quite a while, and the other components of their security are thoughtfully designed as well. They feel pretty secure to me -- not foolproof, but definitely good enough.
both google and banks share our data with spy agencies
Picking a secure password is the user's responsibility, not the web site's. I use Diceware to generate my passwords. A five-word Diceware password has 77 bits of entropy. That's equivalent to a 15-character password chosen randomly from upper and lower-case letters, numbers, and 13 special symbols. Most can memorize the Diceware password in a few minutes. Few of us can ever remember the random password. Yet many web sites refuse to allow spaces between diceware words, and demand that I use an upper case letter and a number or special symbol. I curse every time.
Google needs be thousands of times more secure than my bank. My bank will return my money when their security lapses. The Feds even get into the act. If Google loses my information, it's gone. There is no undo. So while it may seem like a big problem for banks to be less secure, it makes perfect sense to me. Besides, I've lost countless web accounts (Yahoo, etc.) due to breaches not my own. I've never lost a penny from a bank, even when they are robbed and lose the actual bills I gave them. Money is fungible. Information isn't. So it's not even a valid comparison to make. Apples, and honeydew.
Must be 6-14 characters and contain at least one letter and one number. It cannot contain nine or more numbers.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I've had 2 factor authentication in a bank in Europe for years (I don't remember when I first got it). And it was mandatory for everybody.
No, it isn't their business, but it isn't Google's either! I don't give a rat's a$$ how secure things are within their envitonment when it is Google *themselves* I don't want having access to my data. It's kind of like hiding from Mafia thugs in the Don's living room.
I don't have or use a mobile phone. The signal where I live is abysmal. My ADSL connection maxes out at under 100K. So, yeah, I use my employees connection for most of my private stuff.
A mobile phone is useless to me. Two factor authentication is O.K. as long as they do not make it a fixed option. If they do I'll have to move on to another as I'm not paying a min of 40 bucks a month simply to maintain a password.
I'd say "whoosh", but that just seems inadequate. You'd need to spend a good ten minutes or so standing in a wind tunnel to get the right effect.
"Run-on sentence" is a term of art in grammar. It applies not to succinctness or verbosity but to the improper joining of two independent clauses it is not what his first sentence does.
Unless you are being totally dumb and storing passwords in plain text or something instead of hashing them, there is no good reason why any website should have a maximum password length.
Better security than a bank? That's the dumbest thing I've ever read. Seriously.
Gmail ignores period (.) characters in email addresses, and frequently misdelivers email because of it. It's not even secure enough to be an email service, let alone more secure than a bank.
According to gmail, all of these addresses are equivalent:
turd.ferguson@gmail.com
turdferguson@gmail.com
t.urd.f.erguson@gmail.com
and so on.
While gmail gives it to the largest assassin organization in the world.
While trying to help a customer, I talked with Wells Fargo contractors and, eventually, the Wells Fargo head of IT. My opinion after many hours of hassles: Wells Fargo is a VERY BADLY MANAGED bank.
It's possible that there is equipment at Wells Fargo that requires short passwords, and other equipment that is newer and more secure.
Can anyone recommend a good bank?
My Credit Union has decent password requirements (at least like 6 or 8 chars long, mixed case, symbols (full complexity)).
Use on an "unfamiliar PC" (they probably save some cookie) requires a second auth via SMS or voice call.
the only "insecure" part is that the mobile app can use JUST the password.
2 factor auth?
Is that, when Google blocks my account every fucking time my mail program tries to download my mail when my VPN is active?
Biometrics are very good at identifying people. They are very bad at authenticating people. You leave fingerprints on everything you touch. The best possible answer is to require everyone to have a hardware crypto-token that they use to log in. In fact, in civilized countries, everyone carries one in a Chip&Pin card. For $15, every one of us could have a card reader that would render password and biometric attacks inert, and limit the vulnerability to spoofing to a very short window while your credit card is in the card reader. Almost everyone carries their card with them already; it's not a major inconvenience to pull it out of your wallet, and if you're super-paranoid, then we could easily develop card readers that have the keypads in them (instead of typing it into your computer). This is a solved problem waiting to be implemented.
The idea is good, but it's fucked by the fact that it is not universally usable across all software and systems. This means they had to come up with the atrocious idea of "app-specific passwords," which are just... passwords. One for each application adds extra insecurity, and they're already insecure to begin with, being all lower-case letters in the form of "xxxx xxxx xxxx xxxx" (with the spaces optional for easier reading). I'm sorry, but my actual Google passwords are a hell of a lot stronger than that, consisting of both capital and lower case letters, numbers, spaces and various symbols... and easily double that 16-letter string that Google generates. I tend to make as few of these insecure things as possible, and re-use them when it makes sense (I group them by system or general usage instead of one specific use per password; ie. one for each phone, laptop, desktop, etc.), deleting and creating new ones to replace the old every once in a while. You could get by without making a single app-specific password, but have fun connecting your Android phone to your Google account. And if you want to use a standard desktop-based e-mail client? No two-factor authentication there, so you will *have* to make a new weak Google-generated password for that.
Your bank is going to lock down your account after a certain amount of retries. Sure, a password can be insecure, but you aren't going to brute force a bank account. Most banks also do some form of two factor authentication, in my case, three things I know, pin, password, and picture.
Gmail security is not even close to that of most major banks. One of the main reasons for that is unlimited tries on the number of password attempts, no account lockout, and until not that long ago they were allowing http connnections, which are not that difficult to intercept on a public wifi. This is one of the main problems in online security - email providers, and online identity providers, like twitter, facebook, etc... are not as secure as they would like you to believe. Most major banks do have more restrictions in what passwords can be used, how many attempts, https only traffic, etc... They would be the better identity providers if they wanted to be in that business. And yes, gmail with two factor and a strong password, strong forgotten password setup, is still reasonably strong, but most people don't use it and opt for the bare minimum. Then when their email password gets cracked by one of the bots and starts sending spam they change the password to something else thats marginally more secure until the next bot cracks it. One final thought, banks have a different view on privacy than online providers. I don't mind providing my phone number to the bank for risk-based authentication based on ip address. I do mind giving that information up to google and facebook.
It's one of the reasons I signed up is that they offer a free security token for signing in.
There are no fees and sadly, when I asked them how popular it is, they said virtually no one uses it.
I suspect it's not so popular because most accounts are insured against most fraud so there's little incentive to using them for most users.
What I'd like is to use that token (or even SMS) for an ATM pin...
Login requires a set of 3 numbers from PIN and a set of 4 letters from password. If the browser is not recognized, it needs more verification.
Money transfer requires me to insert the debit card into a card reader, give it the correct PIN and then allow the card reader to process a number provided by the website (website gives me the number, I enter it into card reader, which then replies with a new number. I enter that number into the website.
The real "Libtards" are the Libertarians!
obviously they have access to the best security solutions! /sarcasm
My huge chain bank does not allow many items to be used in passwords such as punctuation marks, ASCI2 symbols and the characters that are over the numbers on your keyboards. Being unable to use these symbols makes password cracking far easier than it should be. The strange part is that banls surely know about this but are too cheap to purchase software that can handle more symbols in their passwords. For their own internal security they use super long passwords that in the past were limited to a 2,500 character string. there was consideration of going to a 5,000 character string but I'm not in the loop to know if it was actually implemented. For end users a 5,000 symbol password is not going to happen.
I love you, whoever you are. You may collect your prize of an internets at your convenience.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
HSBC - at least in Hong Kong - has a 2 factors authentication: a password and a device that gives you a temporary code - and the device is protected with a pin code.
My bank has pain-in-the-ass 2FA. There is a piece of partly public info (social security), followed by a short pin code, that leads to a challenge-response with a grey box that has my unique token in it as a smart card. Although the box is USB the browser plugin demands custom device drivers that do horrific things to ensure they are "alone" on the system.
All of this protects me against a hacker breaking my password, which would be impossible, and has no effect on the much more likely attack of a hacker targeting the bank itself. So I have to access my bank from a custom VM because the other plebs like to choose "bigtits" as their secure password.
2FA is the overrated wet dream of sysadmins everywhere.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
On mobile, you should hope for something better. 2 factor is for a "mobile protecting PC" scenario. A mobile device doesn't protect itself using 2 factor.
You have to use two way verification.
The old system was Password + Card reader using the chip of your credit card + PIN to gain access to the online bank.
That system is being more scrapped towards something called "Online ID". Which is a standard that all banks, government agencies use.
Which you have to verify your ID using your phone (Mobile) or computer with a card reader connected and the ID downloaded to it.
Really convenient. Usually they will also require this when using the credit card online. So even if they get your credit card number + verification code, they can't buy shit.
My bank over here in Germany requires the use of a TAN-generator device to make transfers/pay bills online. You put your card in the device, press a button, hold it to the screen, check the details shown on it, and then type the TAN back in to the website to finalise the transaction. That seems pretty secure to me, but I'm no expert.
My bank has more secure 2 factor authorization than Gmail.
I stick my card in this little device called a "Random Reader". I enter my PIN on that device. Then I get a code that I have to enter together with my bank account number and my card number (both printed on the card).
Then I get access to viewing my account and preparing payment orders.
To send the payment orders I have to sign them. To do this I need to enter my PIN again (on the random reader), enter a code from the bank website, enter the total amount and (if it includes a large payment to an unusual account I also need to enter that account number). Only then the payment orders are processed.
Since the random readers are available for free at any branch of my bank it's easy to have a few laying around. The random reader is not personal so I can easily borrow one from my parents or friends in a pinch when I am there (assuming they have the same bank).
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
Contrast the situation in unfree draconian Europe where regulatora forked banks to use two factor auth with a PKI smartcard or time generated tokom as a 'have' factor.
I worry about more than two factor auth. I worked in the banking industry for a year doing vulnerability analist. Let me tell you the bnking industry backend has the WORST security I have seen in over twenty years of working with networks. Ever seen a network with over 300,000 vulnerabilities with a CVE score of 5 or better? I have and yes it was one of the biggest banks around (BoA). The login into your bank is nothing compared to the insecurities on the backend of your bank!. After working for three months in the banking industry I took my money out and buried it. No shit its safer buried in the yard. Really I only keep enough money in my account to pay bills the rest I pull out.
I do alot of pen testing and my findings overall is this. Any large corporation the security will suck total balls where the small companies will have rock solid security. A adult toy store site has a 100 times better security than your bank. Yes you are more secure buying a dildo than checking you bank account. Kinda says something about this wornderful country we live in.
Hospitials and banks the two places you would think would have the best security have the worst. Think about that one for awhile.
Now I am all for 2 factor auth but through Google NO FUCKING WAY! Google is the biggest peeping tom in the world next to the NSA and well their a data feed to them too. I especially will not trust say my login into my ssh server to Google. Peeping Eric doesn't need to know the when, where, and why of my logins into systems. Maybe on gmail if I had an account since it is also Peeping Eric's service but never on a secured system.
My EU bank was giving digipass type devices in the last century. You need to type challenge sequence from the computer screen to digipass at login, then type digipass response to computer. More important, you need to do the same procedure with wire transfer sum and receiver account number. A bit of hassle, but it works.
Schemes that just authenticate at login and do not sign actual and specific money transfer data are inherently broken. They rely on personal computer security when there is zero security on personal computer. You have no idea what software runs on your computer and what it does even without all these zero-day exploits floating around these days. You can see one account number on the screen but the number actually submitted to your bank may be completely different.
It sounds quite lame to complain about password length though. What is the difference, banks are not some wordpress websites without brute force password guessing protection, they block access after 3-5 wrong guesses anyway. ATMs work with 4 digit passwords only just fine. 32 character password isn't going to save you anyway if password is the only your protection. Any malware with root access to your computer memory can get all your passwords and digital keys, and it is quite easy to put malware into your internet connected adware infested computer that downloads/installs some new updates daily.
Is this two factor authentication? My bank has a list of 8 questions I provided to which I alone know the one word answer. When I log into my account, or do an online visa transaction, I am transferred to their security routine. I may be asked my data of birth, and randomly one of my questions for an answer that I provided. As I stated I alone know the answer. If my responses are correct, its an OK to accept my access or VISA transaction.
Off topic.
In Canada our debit and credit cards have the integrated chip since the late 1990's. We are shocked when we visited an American Casino this past month, and noted they did not as yet have support for such a system. I had to swipe the card, which was a true backward step, as far as security is concerned. In a way this is the other two factor authentication. I hold the card. Eventually, banks will demand Desktops with smart card readers for online shopping, or verification of your caller id.
Leslie Satenstein Montreal Quebec Canada
In Singapore using 2fa is mandatory. I was surprised that I had to argue to implement 2fa at the US side of the bank I'm working for. Seems a matter of course for me.
My wells Fargo is also above 8. I was confused when they changed my username from my SSN to my last name. That's much easier to guess when someone knows me, and I think it'd be more secure to use a less-lined username than a "tight" one. My next bank required a username unrelated to me, unlike the easily guessable WellsFargo. Just running through common last names and common passwords for them could get someone in. And the user would be blamed for poor password security, not Wells Fargo for requiring a username that matches my last name (previously a hard-to-guess 9-digit number).