This is simplistic. Typically a large bank has many, many, systems bought over time. 20 years ago, SAML, ADFS etc didn't exist. A hashed password gets you into the first system. How does that system then integrate with 20 other systems, some of which are 20-30 years (or more) older? They might not support the same hashing mechanism (or not support hashes at all). They may have completely different password requirements/limitations.
It's one thing for a personal online banking site to have some password requirements, but changing a bank's core systems is a $500m-$1bn dollar project (having worked on two), and a multi-year project. It's not something that a bank can just provide at the drop of a hat. And whilst there are technical solutions to all of this it's not as simple as saying "hash all passwords or they don't know anything about security" Cheers Ken From: [email protected] [mailto:[email protected]] Sent: Saturday, 13 August 2011 5:37 AM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords The stored password must be hashed (and preferably salted too) otherwise I would change banks. When you enter your password, that is hashed and compared to the stored hash. If it matches, then you are allowed in. But yes, they need to capture the hashes somehow, in that situation, either by sniffing or getting access to the database. But once that compromise is done, its usually only a matter of time. Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ________________________________ From: "Ben Schorr" <[email protected]<mailto:[email protected]>> Date: Fri, 12 Aug 2011 09:24:27 -1000 To: NT System Admin Issues<[email protected]<mailto:[email protected]>> ReplyTo: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Subject: RE: Almost, but not quite OT: Passwords But doesn't that require them to break into the authentication system? When I go to log into my bank it doesn't present me a hashed password - I give it what I think my password is, it checks against its directory and either lets me in or tells me to try again. Or am I missing something? Ben M. Schorr Roland Schorr & Tower www.rolandschorr.com<http://www.rolandschorr.com> | www.officeforlawyers.com<http://www.officeforlawyers.com> | Twitter: @bschorr From: [email protected]<mailto:[email protected]> [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Friday, August 12, 2011 12:19 To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords A good brute force attack doesn't throw passwords out for authentication - just gets the hashed passwords and checks them against hashed values, AFAIK. Therefore account lockouts are not triggered. Sent from my POS BlackBerry wireless device, which may wipe itself at any moment ________________________________ From: "Ben Schorr" <[email protected]<mailto:[email protected]>> Date: Fri, 12 Aug 2011 09:15:39 -1000 To: NT System Admin Issues<[email protected]<mailto:[email protected]>> ReplyTo: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Subject: RE: Almost, but not quite OT: Passwords Length is more important than complexity, no doubt. While it's good to have mixed case and numbers and symbols the fact that you COULD is enough to force any brute force attack to check for it. And, frankly, any system that will allow 1,000 passwords a second to be thrown at it without locking the account or alerting an admin has a serious problem. Ben M. Schorr Roland Schorr & Tower www.rolandschorr.com<http://www.rolandschorr.com> | www.officeforlawyers.com<http://www.officeforlawyers.com> | Twitter: @bschorr From: andy [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Friday, August 12, 2011 12:00 To: NT System Admin Issues Subject: RE: Almost, but not quite OT: Passwords huh.. just tried something similar to one of my passwords, all lowercase, all letters, of course my real password has a couple of numbers in it. 780 quintillion years 20 character password all lowercase - 97billion years 11character password all lowercase 314 years huh... the password -- 0987654321aaaaaa -1 billion years aaaaaaaaaaaa - 12 years to hack so much for the password rules. then again my password would not work on a unix system. Are unix systems still only 8 characters. it looks like any 8 character password can be hacked in less than a week. At 11:00 AM 8/11/2011, Kennedy, Jim wrote: Good point, I just got phished. From: Gary Slinger [ mailto:[email protected]] Sent: Thursday, August 11, 2011 10:57 AM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords It wasn't one of my current 'real' passwords. I'm not putting one of those in on a site I don't know. ________________________________ From: "Kennedy, Jim" <[email protected]<mailto:[email protected]>> Date: Thu, 11 Aug 2011 10:46:08 -0400 To: NT System Admin Issues<[email protected]<mailto:[email protected]>> ReplyTo: "NT System Admin Issues" <[email protected]<mailto:[email protected]>> Subject: RE: Almost, but not quite OT: Passwords Buwhahahah.... 124 thousand years. From: Gary Slinger [ mailto:[email protected]] Sent: Thursday, August 11, 2011 10:45 AM To: NT System Admin Issues Subject: Re: Almost, but not quite OT: Passwords With one special character, 15 years. Without it, 4 days. Interesting. ________________________________ From: "Martin Blackstone" <[email protected]<mailto:[email protected]>> Date: Thu, 11 Aug 2011 07:19:59 -0700 To: NT System Admin Issues< [email protected]<mailto:[email protected]>> ReplyTo: "NT System Admin Issues" < [email protected]<mailto:[email protected]>> Subject: RE: Almost, but not quite OT: Passwords I got one year. From: Shauna Hensala [ mailto:[email protected]] Sent: Thursday, August 11, 2011 7:16 AM To: NT System Admin Issues Subject: RE: Almost, but not quite OT: Passwords Have your users go here: http://www.howsecureismypassword.net/ and enter their password to see how long it would take to crack. A fun little exercise. [Description: Red rose]Shauna Hensala ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: Almost, but not quite OT: Passwords Date: Thu, 11 Aug 2011 13:43:08 +0000 I changed my bed linens at the beginning of each semester whether they needed changing or not. J Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Crawford, Scott [ mailto:[email protected]] Sent: Thursday, August 11, 2011 8:32 AM To: NT System Admin Issues Subject: RE: Almost, but not quite OT: Passwords nice. Reminds me of an old roommate, "I clean the shower every six months whether it needs it or not." Sent from my Palm Pre on the Now Network from Sprint ________________________________ On Aug 11, 2011 7:42 AM, Webster <[email protected]<mailto:[email protected]> > wrote: I change my passwords religiously every 7 years. Carl Webster Consultant and Citrix Technology Professional http://www.CarlWebster.com<http://www.carlwebster.com/> From: Gasper, Rick [ mailto:[email protected]] Subject: RE: Almost, but not quite OT: Passwords Crap...I now have to change my password again... From: Jon Harris [ mailto:[email protected]] Subject: Re: Almost, but not quite OT: Passwords If the in-house team ever got a round to it both could be kept happy but using something like "Horses like 2 fly, like bugs like to be stepped on!" Complex and easy to remember. How long would that take for a brute force attack or a dictionary attack to get the password? FYI that is NOT one of my passwords! Jon On Wed, Aug 10, 2011 at 6:10 PM, Webster <[email protected]<mailto:[email protected]> > wrote: Because the security team and or auditor are simply following a check list. Complex passwords required - check. My job is done. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin Content-Type: image/gif; name="image001.gif" Content-Description: image001.gif Content-Disposition: inline; Content-ID: <[email protected]<mailto:[email protected]>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
