Why Gmail Has Better Security Than Your Bank

Gizmodo gives some insight to a strange situation that many of us have -- at least in the U.S. -- when it comes to online security: Gmail, while free, offers two-factor authentication, while many banks don't use security tools that would make online financial transactions safer, contenting themselves with single-factor, weak password systems, or lackluster secondary screens. It's certainly true at one bank I use, which even now allows short, all-alphabetical, all lower-case passwords. U.S. banks could certainly use multi-factor authentication, and some do, but it's nothing like universal.

Gmail *should* have better security

[swillden]

The same goes for every e-mail provider. Email account access is the crown jewel of online identity, because if I have access to your e-mail I can reset the passwords of all of your other online accounts, including your bank account.

If you're using a short, weak password and not using two-factor on your e-mail because "it's only e-mail"... please think about what other accounts use that e-mail address as their password reset mechanism.

Re:First Run On Sentence

Someone who knew grammar, evidently.

While Timothy's first sentence is, by some standards, long, and, moreover, interspersed with many appositives and subordinate clauses, which collectively may, depending on the reader's tastes and background, render it unwieldy, and even disgusting to those who like their thoughts in twitter-length bites, it nevertheless has this virtue: when analyzed by diagram, it does in fact appear to be properly constructed, at least within the limits of grammatical freedom that even the most rigid critics of English have come to respect, those limits having been established in indulgence of the liberties taken by the finest authors ever to have set pen to paper, among whom we may number, as an example particularly apt to such a case, Samuel Johnson.

Re:Schwab - max 8 chars!

[njnnja]

The worst thing about this isn't that it means you have to choose a weak password, but rather that it is very likely that they are storing passwords in cleartext and somebody could get access to huge numbers of accounts with a single breach. If they were just using javascript to ensure password length, then they could change the code for the form validation immediately. So the fact that it hasn't been fixed yet means that the password length restriction has to do with something on their back end that will require real work to fix. But a proper back end system should salt and hash the passwords and the site would have no idea how long your password is. Since they know and care how long the password is, they probably aren't hashing