What is the max allowed length for your online bank password?

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
Modelworks

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
sourceninja said:
You would hope that after a few attempts they would lock your account and require you to call in to reactivate.
Click to expand...

My bank does this. 3 wrong entries and you have to call to reset the account.
My bank also does security questions randomly when you use the account. One day it might not ask anything, the next it will ask things like mothers maiden name.
 
Deeko

Deeko

Lifer
Jun 16, 2000
30,213
12
81
Saint Nick said:
Haha. I have that comic printed out and put in my cube. Sadly, a lot of websites/services have stupid password rules where they will require you to put in a character, or a number, or whatever. I know it isn't smart, but I like my passwords to be the same across all sites. With all the different site rules, I can't do a password scheme similar to the comic.
Click to expand...

Particularly those that block dictionary words, too.
 
Red Storm

Red Storm

Lifer
Oct 2, 2005
14,233
234
106
Yeah my student loan account has the most annoying rule where if you change your password, it can't be anything close to the previous one, so I change it enough to be different but still similar to my "go to" password. This has led to me basically having no idea what the right password is at any given point, so I have to do a password reset every time I want to log in (maybe once every couple months).
 
D

DnetMHZ

Diamond Member
Apr 10, 2001
9,826
1
81
sourceninja said:
I actually use lastpass. I don't know any of the passwords for any website I use.

I don't know my gmail password. I dont know my slashdot password. I don't even know the password I use on this forum.

I do auto generate them at the maximum length allowed by the website. The only password I do know is my lastpass master password.
Click to expand...

This.. plus I have 2 factor on my lastpass as well.
 
Jeff7

Jeff7

Lifer
Jan 4, 2001
41,596
20
81
Saint Nick said:
Haha. I have that comic printed out and put in my cube. Sadly, a lot of websites/services have stupid password rules where they will require you to put in a character, or a number, or whatever. I know it isn't smart, but I like my passwords to be the same across all sites. With all the different site rules, I can't do a password scheme similar to the comic.
Click to expand...
Unfortunately, I think a lot of those password rules were developed back when the main concern was another person getting into your account. Now we've got insanely fast computing tech available at the consumer level, but the rules haven't changed. So, that f7x!T9 password would be nearly useless. Mixed case, punctuation, numbers...HowSecureIsMyPassword.net says 13 minutes for a desktop PC to crack that one. But, copy/paste that same password 5 times, and that bumps up to a pretty damn long time, assuming they're not also trying for repeated patterns, though that would also increase the processing time. So ok, fine - paste it 5 times, then add a single character at the end.
 
Anubis

Anubis

No Lifer
Aug 31, 2001
78,712
427
126
tbqhwy.com
D1gger said:
What type of financial institution is this? A tin can buried in your back yard?
Click to expand...

local bank, i know the bank president, i bitched at her the other day when i saw her out at dinner. the issues i was having were fixed by 9 am the next day. having the ability to do that is much greater then any online features

also they are open on saturday
 
Deeko

Deeko

Lifer
Jun 16, 2000
30,213
12
81
Jeff7 said:
Unfortunately, I think a lot of those password rules were developed back when the main concern was another person getting into your account. Now we've got insanely fast computing tech available at the consumer level, but the rules haven't changed. So, that f7x!T9 password would be nearly useless. Mixed case, punctuation, numbers...HowSecureIsMyPassword.net says 13 minutes for a desktop PC to crack that one. But, copy/paste that same password 5 times, and that bumps up to a pretty damn long time, assuming they're not also trying for repeated patterns, though that would also increase the processing time. So ok, fine - paste it 5 times, then add a single character at the end.
Click to expand...

Haha according to that, the simple phrase I created as a shared password for things like hulu and blockbuster is by far the most secure password I've ever made, despite being all lower case with no numbers or symbols. 212,000 years! Meanwhile, my standard "strong" password is 85 days, and my password I use on Anandtech is, uh, 8 seconds.
 
BoberFett

BoberFett

Lifer
Oct 9, 1999
37,562
9
81
Jaskalas said:
How are they going to test those 2.8 billion passwords per second? That speed does not appear to be relevant in anyway if they cannot recognize / use what they have.
Click to expand...

By matching against the hash they pulled off of a tape that some careless backup operator left in their front car seat?

There are more data breaches from carelessness than there are from uber l33t internet hackers, and you're far less likely to know about the former so you don't even know you should change your password.
 
Jeff7

Jeff7

Lifer
Jan 4, 2001
41,596
20
81
Deeko said:
Haha according to that, the simple phrase I created as a shared password for things like hulu and blockbuster is by far the most secure password I've ever made, despite being all lower case with no numbers or symbols. 212,000 years! Meanwhile, my standard "strong" password is 85 days, and my password I use on Anandtech is, uh, 8 seconds.
Click to expand...
The only thing is, I don't think that password site does a dictionary search.
So if you're using XKCD's "correct horse battery stapler" approach, that's a lot of characters, but it's also only 4 words.
But of course, that's dependent upon the approach that a cracker would use. Lowercase-only dictionary search first, or just do a character-by-character brute force attack?
 
Deeko

Deeko

Lifer
Jun 16, 2000
30,213
12
81
Jeff7 said:
The only thing is, I don't think that password site does a dictionary search.
So if you're using XKCD's "correct horse battery stapler" approach, that's a lot of characters, but it's also only 4 words.
But of course, that's dependent upon the approach that a cracker would use. Lowercase-only dictionary search first, or just do a character-by-character brute force attack?
Click to expand...

Right. Although I imagine dictionary searches are more effective when checking if the whole password is one word (which a lot of people do) - a multiple word phrase, particularly one that doesn't make much sense (like the xkcd one), would take a lot of combination checking to find, and like you alluded to, I doubt most crackers would turn to that first, since its such a rare type of password.
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
dabuddha said:
length != security
Click to expand...

hmm it actually is.

6 characters is far to short for a serious password as you approach 20 characters the potential of it been brute forced goes to almost nill.

What's really bad are those that specify you must be between 8 and 12( to 16) characters and require a beginning Capital Letter and ending in a number...
 
alkemyst

alkemyst

No Lifer
Feb 13, 2001
83,769
19
81
BoberFett said:
By matching against the hash they pulled off of a tape that some careless backup operator left in their front car seat?

There are more data breaches from carelessness than there are from uber l33t internet hackers, and you're far less likely to know about the former so you don't even know you should change your password.
Click to expand...

as well as being inside jobs.
 
dabuddha

dabuddha

Lifer
Apr 10, 2000
19,579
17
81
alkemyst said:
hmm it actually is.

6 characters is far to short for a serious password as you approach 20 characters the potential of it been brute forced goes to almost nill.

What's really bad are those that specify you must be between 8 and 12( to 16) characters and require a beginning Capital Letter and ending in a number...
Click to expand...

Considering that most login systems (at least if it's a good one) will lock out your account after 3 failed attempts, I'd say shorter is better. Especially considering how many people end up writing down their passwords because of the asinine password requirements for some sites make it extremely difficult to memorize it.
 
sourceninja

sourceninja

Diamond Member
Mar 8, 2005
8,805
65
91
Deeko said:
Right. Although I imagine dictionary searches are more effective when checking if the whole password is one word (which a lot of people do) - a multiple word phrase, particularly one that doesn't make much sense (like the xkcd one), would take a lot of combination checking to find, and like you alluded to, I doubt most crackers would turn to that first, since its such a rare type of password.
Click to expand...

Right, a mult-word password makes the dictionary attack much less valuable. First, you need to know if I'm using a sentence, a few words, a common phrase, what language am I using, are all my words from the same language.

if my password was "Osotogari is winning technique" as a reference to my judo background, do you think a dictionary attack would find it?

For one, I have a word that is not english, for another does your dictionary attack use small words like a, an, is, the or would you skip them? What if I had proper names in my password like "Grandpa was a O'Rilley"? Do you search with proper caps or without proper caps, or with all words caps? What if it uses non-word characters (like text messaging) example: "lunch @ titos w/ beer"?

The point is that when you do a phrase of some kind you make the variables a lot more complex then just a "list of words". It would probably be easier to brute force a phrase then it would be to use a dictionary attack.
 
bruceb

bruceb

Diamond Member
Aug 20, 2004
8,874
111
106
I know mine will take at least 16 characters, but it will not accept things like - or & and other special characters. It really should, but you can combine upper and lower case.
 
T

The-Noid

Diamond Member
Nov 16, 2005
3,117
4
76
My bank has a RSA Securid and password. The password and RSA key also have a pop up on screen keyboard that where the keys are pressed via mouse rather than typed in for keyloggers.

I feel safe.
 
bruceb

bruceb

Diamond Member
Aug 20, 2004
8,874
111
106
That SecureID is a nice idea. We used them at Verizon to log onto corporate applications. And that was from within a Verizon office, on their internal network. They should be mandatory for any financial website access. I think they are uncrackable, as the number changes about once a minute.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom