On Fri, Jan 15, 2010 at 10:07:34AM -0500, Jean-Francois Theroux wrote: > With BLC, until a few months ago, I was also restricted to 6 characters. I > emailed them asking why it was that way. And they said to not worry, that > their system was secure ..
On Fri, Jan 15, 2010 at 08:54:35AM -0500, Nick Nobody wrote: > I don't know if BMO is any better, they limit your password to 6 > characters for their online banking service :( For the 6 characters/digits limits, we must be careful to not confuse usage of the ATM machine, which requires "something you possess" (your bank card), that can be forged of course but since it's only one of many countermeasures, it makes the system still pretty secure. Yet another countermeasure is that you need to be physically operating an ATM machine (that can also be worked around), and are systematically filmed (that can also be worked around). Finally, the card (even if forged) is deactivated after 3 failed attempts (usually). Then even weak password entropy is actually a proper (and simpler) security measure (e.g. people will not have to write down the password in their wallet). Now, once you go online, all those safeguards are kicked out the door: many more password guessing attempts can be performed online (especially using multiple computers or straight out botnets). You don't actually need to be present physically and filmed, etc. So having similar password policies online and in person is just ludicrous. Effectively, the establishment of online services created a breach in the security system of those banks. I'm pretty happy with the AccesD services of Desjardins, however I dislike many other problems they have with their online banking service (mostly that they limit reconciliation report history to "60 days, 30 days at a time" and they don't support anything else than IE for the payroll system). I can say that their password policies are good, even though they have this little (theoritically) anti-phishing theater going on at login that's pretty annoying for no real security. A. -- La démocratie réelle se définit d'abord et avant tout par la participation massive des citoyens à la gestion des affaires de la cité. Elle est directe et participative. Elle trouve son expression la plus authentique dans l'assemblée populaire et le dialogue permanent sur l'organisation de la vie en commun. - De la servitude moderne
signature.asc
Description: Digital signature
_______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
