What is the max allowed length for your online bank password?

[Locut0s]

I noticed the other day that the longest allowable password for my online banking account is 6 characters. This seems awfully short for something as important as online banking. You would think they would want to encourage both long and strong passwords.

 

[oynaz]

Actually, that's not OK. I would complain about to them.

 

[HAL9000]

I would seriously complain about that, my password for some things is 40 characters.

 

[Nohr]

6-14 chars. A max of 6 would concern me.

 

[goog40]

I don't think I've seen a bank that would even allow a 6 character password. Usually the minimum is 8.

 

[HamburgerBoy]

I just set one up although I can't quite remember. Think the range was 8-20.

 

[dabuddha]

length != security

 

[SandEagle]

OP's password is Locut0

 

[frostedflakes]

6 characters could probably be brute forced in what, 30 seconds on a modern GPU?

If the site has multi-factor authentication of some sort it's probably not a big deal if the other authentication methods are reasonably secure, but I'd still bug them about it. Would also kind of make you wonder where else they cut corners on security, for example are passwords they store in their database even hashed? You'd kind of expect any competent admin (especially those responsible for safely storing sensitive info like banking) to do stuff like this, but you'd be surprised.

 

[kranky]

I don't know the max, but my current pw is 14 characters.

If the system locks you out after N incorrect tries, I don't see a problem. It's not like someone could try infinite guesses until they got it right.

 

[frostedflakes]

If the database gets compromised, though (happens alarmingly often, even big companies like Sony have fallen victim to SQL injection attacks), a person could easily brute force a short hashed password and potentially get into your account before the admin even had a chance to inform users of the security breach and have them change their passwords. That's what a strong pass is supposed to protect against.

 

[sourceninja]

length != security

Exactly.

In 2010, the Georgia Tech Research Institute developed a method of using GPGPU to crack passwords much faster.[2] As of 2011, commercial products are available that claim the ability to test up to 2,800,000,000 passwords per second on a standard desktop computer using a high-end graphics processor.[3] Such a device can crack a 10 letter single-case password in one day.

You would hope that after a few attempts they would lock your account and require you to call in to reactivate.

However, longer passwords do help with security, but increasing the odds of a wrong password being guessed in the attack. If you had a 1 character alphabetical lower class password than there is a 1 in 26 chance of being guessed randomly on the first attempt. If your password was still alphabetical only, but 10 characters then there is a 1 in 1.41167096 × 10 to the 14th power chance of it being guessed randomly on the first try.

Ideally you would pair a strong password (I like pass phrases of a few words after reading this http://xkcd.com/936/ ) with strong rules on account timeouts and locking.

I'd also worry that if they are that easy on password requirements that they might not be secure on the back end. What if your information is stored as plain text? Or weakly encrypted without a salt, etc.

 

[darkxshade]

I like the ones that asks you to answer a security question first if you're logging in from a computer with an unrecognized IP.

 

[biostud]

I have a login name + password + unique one time use only code, every time I need to sign on my bank.

 

[rh71]

Canadians and their money are soon parted.

 

[Jeff7]

I have Chase for my car loan. Theirs was bizarre. Letters and numbers, but no special characters. No underscore, no spaces. 32 characters max.
PNC specifies "6 to 20 characters, one number & one letter."

So much for being able to use "good luck guessing0this one_in less than ╔ million years".

 

[DougK62]

My credit card forces an 8-digit password. Nothing more, nothing less. That's absolutely pathetic and terrible security. Longer = better.

 

[rh71]

suckm3

 

[Saint Nick]

Exactly.

In 2010, the Georgia Tech Research Institute developed a method of using GPGPU to crack passwords much faster.[2] As of 2011, commercial products are available that claim the ability to test up to 2,800,000,000 passwords per second on a standard desktop computer using a high-end graphics processor.[3] Such a device can crack a 10 letter single-case password in one day.

You would hope that after a few attempts they would lock your account and require you to call in to reactivate.

However, longer passwords do help with security, but increasing the odds of a wrong password being guessed in the attack. If you had a 1 character alphabetical lower class password than there is a 1 in 26 chance of being guessed randomly on the first attempt. If your password was still alphabetical only, but 10 characters then there is a 1 in 1.41167096 × 10 to the 14th power chance of it being guessed randomly on the first try.

Ideally you would pair a strong password (I like pass phrases of a few words after reading this http://xkcd.com/936/ ) with strong rules on account timeouts and locking.

I'd also worry that if they are that easy on password requirements that they might not be secure on the back end. What if your information is stored as plain text? Or weakly encrypted without a salt, etc.

Haha. I have that comic printed out and put in my cube. Sadly, a lot of websites/services have stupid password rules where they will require you to put in a character, or a number, or whatever. I know it isn't smart, but I like my passwords to be the same across all sites. With all the different site rules, I can't do a password scheme similar to the comic.

 

[Printer Bandit]

my password is something like this: f7x!T9

 

[sourceninja]

I actually use lastpass. I don't know any of the passwords for any website I use.

I don't know my gmail password. I dont know my slashdot password. I don't even know the password I use on this forum.

I do auto generate them at the maximum length allowed by the website. The only password I do know is my lastpass master password.

 

[Jaskalas]

2,800,000,000 passwords per second

How are they going to test those 2.8 billion passwords per second? That speed does not appear to be relevant in anyway if they cannot recognize / use what they have.

 

[GrumpyMan]

My Bank of America password account #213947685 is NeedmoreMoneyin2012. I trust you guys not to go in there.

 

[Red Storm]

How are they going to test those 2.8 billion passwords per second? That speed does not appear to be relevant in anyway if they cannot recognize / use what they have.

Yep.

 

[Modelworks]

My bank pass is 48 characters, less than 32 and I would complain.