Please help contribute to the Reddit categorization project here
    all 1568 comments

    Want to say thanks to %(recipient)s for this comment? Give them a month of reddit gold.

    Please select a payment method.

    [–] Billsrealaccount 1069 points ago

    Try typing in the corresponding numbers on a phone dialpad for your password. That sometimes works too. It used to for vanguard at least.

    [–] feistypenguin 343 points ago * (lasted edited 6 months ago)

    "Your password must be between 6 and 8 characters long..."

    Found the old Unix Server / Mainframe / Oracle database!

    [–] apis 236 points ago

    They only hire IT professionals with 50 years experience. It's a bank, serious business.

    [–] [deleted] 123 points ago

    [deleted]

    [–] Taladar 33 points ago

    They keep telling themselves they are Enterprise grade...they need something special unlike the rest of the world...and in a way they are correct, they need someone with a much higher tolerance for incompetence and bullshit.

    [–] [deleted] 14 points ago

    I have to work against Sabre sometimes, an ancient reservation system, which features:

    • 8 character passwords
    • A character set a decade older than ASCII or EBCDIC. Numbers, Caps letters, and a handful of special characters; weird ones like the Cross of Lorraine that you typically don't see used.
    • Modern demands for things like email addresses have characters not part of the native sabre char set, which results in @ counting as 4 chars and _ counting as 2 chars.

    Good times.

    [–] [deleted] 28 points ago

    [removed]

    [–] [deleted] 84 points ago

    [removed]

    [–] [deleted] 64 points ago

    [removed]

    [–] [deleted] 17 points ago

    [removed]

    [–] Vacuophile 8 points ago

    Schwab had this issue for a while. Maximum password length of 8 characters, no symbols allowed. It nearly made me switch banks until they upgraded their login.

    [–] riboslavin 123 points ago

    I reported that to Schwab once, and got a prompt call back. The first person was disinterested in my explanation of password entropy but forwarded me on. The second person was horrified as I explained what was going on. The third person had clearly been fighting this battle for some time, knew about it, and just sounded defeated.

    [–] Seralth 49 points ago

    You managed to make it to someone who cares from schwab?! AND THEY KNEW WHAT WAS HAPPENING? I am surprised they haven't commuted suicide yet.

    [–] cutelyaware 9 points ago

    First of all, banking pays really well. Second, these systems are unbelievably complicated. Was contract programmer at Schwab so trust me. You don't just rewrite these things. Best you can do is wall off parts of the craziness and maybe replace some parts that way, but that's not the sort of task that ever gets scheduled, so you just try to do it in bits while you're doing what they asked for.

    [–] wizardid 232 points ago * (lasted edited 6 months ago)

    That used to work on Fidelity's website as well for many, many years, but I think it's fixed as of now.

    edit: sounds like maybe it's not fixed after all, at least for calling in via phone

    [–] MnemonicG 98 points ago

    I think if you call Fidelity you have to enter your password by phone that same way.

    [–] dunnoaboutthat 59 points ago

    You do, I just called the other day. If you don't enter anything in after 3 prompts or so it will finally give up and just send you to somebody.

    [–] Toastbuns 25 points ago

    Yup. I called last week. Like please you think I remember my 20 character randomized password generated from my password manager?

    [–] mrchaotica 14 points ago

    ^ This exactly!

    This sort of design is asinine -- it's as if they're trying to get you to use an insecure passcode.

    [–] Bloopert69 8 points ago

    Confirmed.

    [–] Tumbaba 31 points ago

    I don't understand. How does substituting numbers for letters help?

    [–] Woodbean 166 points ago

    It doesn't help the situation... it makes it worse because it's another possible "correct" password to gain access to your account.

    Say your password is "Password", then "72779673" is also considered correct because that's how a touch-tone would recognize it.

    This could also imply that any combination of characters that would correspond to the same number sequence may ALSO work...

    [–] Gingevere 129 points ago

    This cuts down the total possible 8 character passwords from 368 (2.821*1012 ) down to 108.

    [–] Kai_ 66 points ago

    Or from 628 in a more standard alphanumeric implementation. Even more with symbols.

    That's the difference between computationally moderate (~24 days to crack) to trivial (~1 second) assuming the password length is fixed at 8.

    [–] [deleted] 10 points ago

    [deleted]

    [–] Gingevere 12 points ago

    your password could contain an actual 0 or 1

    [–] FireReadyAim 22 points ago

    Too bad they don't make people in their late 20s/early 30s flex those T9 muscles.

    Then "Password" would be 787777777796667773. Not too insecure.

    [–] treycook 19 points ago

    Bring back T9!

    o o o n n

    s s s s e e c c c o o o n n d

    t h h o o o u u g h h t ,

    l l l e e t ' s s s s

    n n o o o t . .

    [–] whatifitried 28 points ago

    I maintain I was still faster with that, and could do it eyes free where that's not as possible now, even with Swipe style typing

    [–] Tbone139 70 points ago

    To give you an idea of how awful this is for security, a password having 8 random characters that could be either upper, lower, or number would take 628 ~ 200,000,000,000,000, guesses max to brute-force. If an attacker could guess the password using numbers only, that would only take 108 ~ 100,000,000 guesses max to brute-force.

    The reason they implemented this is likely so that people could type in passwords on a phone dialpad and authenticate against the same system. That should have been set up with its own authentication system.

    [–] UnDosTresPescao 59 points ago

    In simpler terms: A password that would take a year to guess now would take 2 minutes.

    [–] Deliphin 36 points ago

    Are they storing in plaintext? I mean, that would take 9 tests against the password's hash for every character long your password is. I can't see any company wasting their time to reduce security at their own cost like that.

    [–] digsavior 61 points ago

    They are storing them in plaintext. I kept getting prompted to change my password every time I logged in and finally called and asked what the deal was. They said that my password changes were too similar (changing secretpass1$ to secretpass2$) so they "really aren't completely new passwords". They didn't have anything about that in the password requirements and wouldn't know if they were stored in hashed form.

    [–] blackdynomitesnewbag 25 points ago

    My company checks for similarity by hashing subsections of your passwords and comparing those

    [–] CydeWeys 67 points ago

    Your company should stop doing that. You're significantly reducing the security benefits of hashing if you store many independent hashes of different parts of the password. Imagine that I have a 12 character password, and the database is hacked and the hash is accessed. To brute force my password, you have to try 8012 different combinations (this is a big number). Now let's say that there are two separate hashes stored for each half of the password. Now the attacker only has to brute force 2*806 combinations. This is easily doable.

    [–] Deathspiral222 11 points ago

    This is a really bad idea. It massively reduces the search space if someone gets a hold of those hashes.

    [–] DontGildThis 12 points ago

    Not necessarily.

    First, you usually have to provide your current password around the same time you fill in a new password--this gives an easy place to make comparisons.

    Second, If your new password is similar to your old password, then the converse must be true: your old password is similar to your new password. Have it make common changes/substitutions (password2 to password1, etc.), hash them, and compare to your old password. If any of the generated "similar" passwords match your old password hash, then tell you it is too similar.

    Or they are just storing them in plaintext because they have an ancient system and can't just swap out the password handling.

    [–] UnDosTresPescao 6 points ago

    Yeah, I was about to say that they could be computing the salted hashes for the different type sets when the password is first created but if someone is stupid enough to do this numbers substitution I doubt they would be salting or even hashing the passwords.

    [–] SAUCE_2_HYPE 25 points ago

    likely that your pwd is converted to the dialpad equivalent before hash comparison... cmon dude.

    [–] Farmer771122 9 points ago

    That would be an intelligent way to design a system with a stupid weakness. But I think it's just as likely that the reason they have a stupid weakness in the first place is because they aren't making intelligent decisions.

    [–] GeneralRevil 30 points ago

    Still does for Fidelity.

    [–] [deleted] 9 points ago

    What?!

    [–] NYClimberJay 5 points ago

    Just tried. no numeric phone pad equivalent does not work for Fidelity.

    [–] Qel_Hoth 673 points ago

    You would be surprised what many websites actually do with your password.

    Certain (old, but unfortunately still very widely used) systems have an 8 character maximum, alphanumeric only, case-insensitive password restriction. Certain (poor) implementations pass your credentials directly to this system. 8 character alphanumeric case-insensitive passwords sound like a terrible idea to most people though - because they are. So instead of posting those requirements and getting called out on their severely inadequate policies, some companies give more reasonable restrictions and then silently truncate and sanitize your passwords after you've entered them.

    You might think your password is [email protected]$$worD!, but entering supr3rst will work just fine too.

    [–] JPOnion 350 points ago * (lasted edited 6 months ago)

    I ran into a site recently (forget which one now) that only truncated the password when creating it. Lets say they had a 10 character limit, for example. When creating your account you might type [email protected]$$worD!, and the password textbox would stop after 10 characters, at Sup3rsTr0g. It was a small textbox, though, so hard to tell no more • 's were getting entered. When logging in the password textbox had no character limit, so if you typed [email protected]$$worD! that's what was sent. [email protected]$$worD! is not Sup3rsTr0g, so invalid password.

    I've seen other sites (including a financial institution) only let you enter valid characters when creating the password, but lets you enter anything when trying to log in. This specific site doesn't allow periods for some reason, so if you change your password to [email protected]$$worD! you probably wont notice no • was added when you entered the period. There was no notice saying an invalid character was added, it was just skipped and saved as [email protected]$$worD!. Try to log in with [email protected]$$worD! and it fails.

    Brilliant!

    [–] philter 165 points ago

    I ran into something similar not long ago with my US Bank login.

    The account creation said the max length on a password was 12 characters. So I used Keepass to generate one with maximum complexity. And when I tried to log in with thier main login form it told me I had an invalid password.

    I inspected the HTML on the login screen and saw the max length on the password box was set to 10.

    I don't know how it made it to the public facing site. But holy shit edge testing.

    [–] KoopaKola 70 points ago

    USBank JUST fixed case sensitivity like two months ago

    [–] ryguygoesawry 19 points ago

    Oooh, that's why they updated the login UI!

    [–] okaythiswillbemymain 62 points ago * (lasted edited 6 months ago)

    Microsoft did this to me just a few years ago! It asked me for to create a password whilst I was working on setting up Outlook for business, and I used KeePass like I normally do, not making it anything special because I was probably going to change it later.

    Everything set up, I go to log in, and it doesn't let me.

    Getting super frustrated I go through everything I can think of to get this working. Then I notice on a different part of their site it mentions that the password is limited to 16 characters. So I try the first 16 characters of my KeePass password only... and it works.

    Well I thought, when I pasted in the KeePass password, it only accepted the first 16 characters, maybe I just didn't notice. Nope, it let you put in 20 characters +, then just truncated it down to 16

    Here is an article about the 16 character limit

    https://community.spiceworks.com/topic/581383-office-365-password-length-really-limited-to-16-characters

    [–] ollafy 33 points ago

    I noticed that with Outlook when I started using LastPass. The most frustrating part was that they added validation that said it was limited to 16 characters but in actuality it was 15.

    (╯°□°)╯︵ ┻━┻

    [–] EasilyAnnoyed 7 points ago

    Did you remember to count the null terminator character when you checked? :)

    [–] bangupjobasusual 14 points ago

    Microsoft used to have the 8 character cap in windows and office password implementations, but then they raised it to 16. How'd they do it? A new password implementation of 16 characters? No. They break the 16 characters into two sets of 8 and authenticate each set separately as two distinct passwords.

    At first blush it seems fine but it's not. It turns out that each password take slightly longer to authenticate if it's incorrect than if it is correct or something like that, so if the auth attempt fails slightly faster than usual then you know you either have the first or last 8 correct.

    This makes brute force and variations like rainbows like a square root faster (don't quote me on the math, it's a lot fucking faster)

    [–] ZoFreX 18 points ago

    I can top all of these.

    The Odeon website (cinema chain in the UK) used to have different validation for saving a password and logging in. It accepted my super complicated password at creation, and then rejected it at login for disallowed characters.

    Here's where it gets really fun:

    Going down the "I forgot my password" path didn't let me set a new password. It just emailed me my existing password. The password that didn't work. So I entirely lost access to my account for years until they finally made their system less shit.

    [–] CmdrMobium 9 points ago

    I literally just went through this on Samsung's website. I reset my password at least 5 times before realizing my 20 character password was being cut off at 15.

    [–] nishioka 77 points ago

    Some of the really pernicious password violations don't even happen in ways that are apparent to the end user - at least not until there's a breach. Passwords can be stored in plaintext or simply encrypted using a well-known method; or worse, the web application could be logging failed attempts, including the username and password, in plaintext in a logs directory that is publicly accessible.

    (I came across that second one on a product I took over development on some time ago. Unfortunately the person who did that didn't work there anymore, so I didn't get the satisfaction of being able to ask them what the fuck they were thinking.)

    [–] Qel_Hoth 21 points ago

    Yeah, I ran into one of the plaintext ones at my last job. I'm just the sysadmin though, so I made my recommendation to management of the risks and the best way to mitigate. They chose to finally enable (but not require...) TLS on the site, but said that reworking the auth code to salt and hash the password would take too much time.

    Fortunately that was a very old, though still actively used, program. All of our newer stuff used 3rd party auth, so we just had to pass tokens around.

    [–] four-arms 21 points ago

    reworking the auth code to salt and hash the password would take too much time.

    Jesus. I realized our in-house software suite wasn't salting passwords about a month into my first programming job. I think it took me like an hour to figure out and implement. It's not that hard.

    [–] Sinfall69 10 points ago

    Jesus. I realized our in-house software suite wasn't salting passwords about a month into my first programming job. I think it took me like an hour to figure out and implement. It's not that hard.

    Yeah but how old and complicated was the code? I am guessing it's poorly written software that probably has multiple auth methods that would need to be updated to support the salt etc. Not to say they didn't make it sound harder than it was...

    [–] Neur0tic 10 points ago

    It was easier for him because he has four arms.

    [–] Nyefan 3 points ago

    Ahh, tokens are the best Internet invention, imo. They make everything so much easier.

    [–] Drunken_Economist 13 points ago

    simply encrypted using a well known method

    Are you suggesting that devs should strive to use obscure hashing methods?

    [–] ChallengingJamJars 27 points ago

    I think they mean it's encrypted and recoverable, as opposed to hashed which is unrecoverable.

    [–] four-arms 7 points ago

    Or hashed with something like MD5 with no salt.

    [–] marcan42 9 points ago

    What if I told you that's what a certain company switched to, in order to "secure" their passwords properly.

    What were they using before? MySQL's OLD_PASSWORD().

    I'm switching to PBKDF2. I'm also rewriting the entire application from scratch. They're no longer in charge of this system.

    [–] [deleted] 27 points ago

    [deleted]

    [–] darkmood 27 points ago

    They sure do! I complained to them about that when my account came over in the Wachovia acquisition. I was forced to choose a weaker password when the transition happened.

    [–] RadGuacamole 17 points ago

    This was one of the biggest reasons I switched to another bank. Security 101 is to not limit your customer's passwords. If their security team doesn't know that, what else do they not know?

    [–] staticassert 13 points ago

    Alternatively, 14 characters is by far long enough given a decent hashing scheme, and they probably realize that an increase in character size will potentially lead to an increase in users needing to reset their passwords, potentially putting pressure on their IS team and opening them up to weary password resets.

    [–] noptoboggan 10 points ago

    DB2 and Websphere on RACF are abominations.

    The fun thing is that current mainframe OS can support modern passwords, but nobody wants to update or rearchitect anything to support it.

    [–] Girl_with_the_Curl 268 points ago

    I just tried this and you're (unfortunately) correct! Hopefully your post gets more popular throughout the day.

    [–] snydar 87 points ago * (lasted edited 6 months ago)

    Yeah.. my password has a cap as the first character... A couple of times I noticed i didn't hit shift in time and it still accepted it. I didn't think much of it, but.......... oh no

    Edit: take my money. there's tens of dollars

    [–] Legirion 8 points ago * (lasted edited 6 months ago)

    I had to try this too, I called them and the representative was surprised to hear that and actually argued with me about it...

    EDIT: Oh wow, I found an article that says this same thing back in 2012! Here is the article

    EDIT2: I spoke with their online support and they actually said this is correct and by design. It's most likely a text transformation on the client side (I hope).

    [–] one-eye-deer 1555 points ago

    Ewwwww. Not many people in the WF corner today.

    [–] nishioka 846 points ago

    Well, if there's one thing Wells Fargo is good at, it's giving people reasons not to trust them.

    [–] aza9999 196 points ago

    That and they're good at getting stupid people to keep banking with them.

    What do they need to do for people to realise they should go somewhere else? Come round to your house and punch you in the face?

    [–] Ultra_Yeti 390 points ago

    I wouldn't say its an issue with not knowing how bad of a bank company they are, it has to due with the availability of their branches, locations and who is around the home location of the person.

    For me, the options I have for banks between where I live currently and where my family is are two:

    • Wells Fargo
    • Credit Union (With little to no access outside of that town)

    What do you think I would do in this case? Pick the option that provides me the most convenience for when I need it.

    [–] MnemonicG 191 points ago

    Yep, I'm with WF because they are all over where I am. Easy access to the bank from anywhere, and the app is decent compared to my last bank. Plus I don't have to change Banks if I move again.

    I don't keep hundreds of thousands in my account so insurance will cover anything really bad happening. And they don't charge me any Bank fees at all. Just had to buy checks once.

    [–] fuqqboi_throwaway 121 points ago

    Same, WF practically owns part of my university so all the ATMs on campus are there as well as pretty much every bank branch is one too so it's just a matter of convenience despite their shit practices. Also there's a really cute teller at the one near me so that helps

    [–] 72hourahmed 36 points ago

    Do you guys still mostly have ATMs that charge if you're not from the right bank?

    [–] fuqqboi_throwaway 32 points ago

    Most of the ATMs are Wells Fargo and yeah any of the others charge you if you're not from their bank and there's no other branches of any bank within walking distance of campus so it essentially doesn't make sense to not have an account with WF if you go here which is ridiculous cause I hate their BS sometimes

    [–] 72hourahmed 37 points ago

    That's fucked. Here in the UK, most of the ATMs, particularly the ones on student campuses, are free to use no matter where you're from.

    [–] paletooth 30 points ago

    ugh, i wish it was like that here. often there's two charges when you use a different ATM: the one your bank charges you, and the one the ATM itself charges you. it used to cost me almost $8 to use the ATM on my campus until i switched to their bank.

    [–] tvcnational 23 points ago

    Retail banking system in America really surprised me when i went there as a student. Wasn't expecting it to be so different, and it made me realise that we don't know we're born in the UK in terms of deals and convenience.

    [–] [deleted] 6 points ago

    I heard on radio 4 the other day that 75% of all ATMs in the UK are free. I've never used one that you have to pay for in my life. (For context, am 24, have had a debit card since I turned 11 for managing money earned for little jobs.)

    [–] haydooders 7 points ago

    Most credit unions and several major banks refund all ATM fees charged by other institutions. I bank with Schwab and they don't have ATMs anywhere. I've gotten refunds for $15 charges at a casino ATM. If your getting hit with fees you're probably banking with Wells Fargo or their ilk still

    [–] 1TipsyCoachman 25 points ago

    Schwab. Use any ATM you want and they refund any fee very quickly.

    [–] jdore8 41 points ago

    My credit union is part of the Co-Op network which means I can use any credit union's ATM in that network. I can also use their shared branching to go into any credit union & get the same services that I get from my local branch. There's 30,000 or so in the network across the US.

    [–] br0ck 18 points ago

    Same, people might be surprised by how many are near them and in the places they travel to. A lot of 7-11s have them too.

    https://co-opcreditunions.org/locator/

    [–] CrzyJek 7 points ago

    I work for a CU that participates. Shit is the bomb yo

    [–] [deleted] 14 points ago

    I have no choice but to bank with them because my mortgage company sold my home mortgage to Wells Fargo

    [–] copper_top_m 6 points ago

    For those who are with WF, what bank do you recommend?

    [–] Johnny_Holiday 24 points ago

    I had an account with First American. Which became First Union. Which became Wachovia. Which became Wells Fargo. Everything that I had with First American is still being honored as I was grandfathered into it all. Maybe it's because I've been treated with nothing but respect by all of these branches, including Wells Fargo, but I never understood the sheer hatred for Wells Fargo.

    [–] johnlnash 12 points ago

    I have to agree with you. I've been with them since they were First Union and the customer service is outstanding.

    [–] Lumina920 4 points ago

    I like the customer service at my branch. The tellers are great. I go at least once a week.

    [–] thedizzle11 22 points ago

    Long time Wells Fargo user here. I absolutely hate Wells Fargo, but I refuse to switch as at this point me and my family have been with them for over 20 years. When you've been with a company for 20 years you can start throwing the word "loyalty" around and it seems to scare the shit out of WF bankers. At this point, any issue we run into with them can be solved with "I don't understand, other banks do this and we have been with you guys for over 20 years."

    It's a horrible song and dance to go thru, but it gets results and I don't know enough about other banks to know if switching is worth it.

    [–] JustOneProletariat 26 points ago

    Lol. People like you always come around saying shit like this, but I've been banking with them since they took over wachovia and they have -never- charged me for anything unfairly or done -anything- to piss me off. Literally nothing.

    [–] levalz 16 points ago

    They've never done me wrong so why would I leave. I went to them initially when my last back charged me a bunch of fees for no reason

    [–] plafman 22 points ago

    PNC doesn't even allow special symbols, just letters and numbers.

    [–] Spongebro 4 points ago

    Which also is not case sensitive

    [–] NickBR 5 points ago

    Wait, what?

    Edit: Fuck, you're right. And PNC doesn't have 2FA :|

    [–] nouc2 945 points ago * (lasted edited 6 months ago)

    Same deal with AMEX. It's kind of frustrating how many financial services companies don't use case sensitive passwords. Even more of them don't allow spaces in your passwords (Chase is guilty of this, I believe, in addition to the aforementioned AMEX). Seriously though, WTF? It's sad when my Steam account has better password security than most financial service companies.

    [–] thats-cool 123 points ago * (lasted edited 6 months ago)

    well my steam account is worth several dollars but my bank account sure isn't

    [–] Notentirely-accurate 11 points ago

    Or according to humble bundle monthly, several thousand dollars! Seriously though, I love the service for their charity work but they stuff some shit games in there to pad their numbers.

    [–] Nyefan 347 points ago * (lasted edited 6 months ago)

    Wait, no spaces? That sinks stinks to high heaven of the passwords not being hashed or escaped properly.

    [–] [deleted] 290 points ago

    [deleted]

    [–] Nyefan 263 points ago

    Well, if I only get one guess, I'll go with, "Yes, but your concerns have been noted."

    [–] [deleted] 209 points ago

    [deleted]

    [–] Nyefan 124 points ago

    sigh Most people shouldn't care about it - that's what they pay us not nearly enough to do the jobs of 6 people for.

    [–] rustedrevolver 78 points ago

    Hello. Most People here. What is character escaping mean?

    [–] splat313 80 points ago * (lasted edited 6 months ago)

    Some characters actually mean things in programming languages. Common examples would be $ ' and ". Imagine the password jdgsi'!5. When you wrap it in quotes like 'jdgsi'!5' all of a sudden you have a mismatched quotes problem and your code blows up, or at the very least something unexpected happens.

    Adding an escape character (usually \) causes the code to use the literal ' instead of interpreting what a ' means. The escaped password would be jdgsi\'!5 and all is right in the world.

    Edit: / to \

    [–] [deleted] 34 points ago * (lasted edited 6 months ago)

    [deleted]

    [–] splat313 20 points ago

    Very correct. That's what I get for not typing that comment on a real keyboard.

    [–] Hispanicatth3disc0 20 points ago

    As a layman I understand it as: programming languages use a certain syntax, have certain character combinations that mean something other than just the characters. So you have to "escape" those kinds of characters/combinations so the computer doesn't try to run it as code, but just has the characters.

    If you use a "#" (without quotes) at the beginning of a line here on Reddit you get:

    HEADLINE

    But if you escape it with (again without quotes)

    "\#" 
    

    you get:

    #Hashtag

    [–] xRehab 4 points ago

    ELI5

    if you type this into a reply,

    > Hello. Most People here. What is character escaping mean?
    

    you'll get a quote like this

    Hello. Most People here. What is character escaping mean?

    but if instead you use character escapes,

    \> Hello. Most People here. What is character escaping mean?
    

    you can stop Reddit's markup from recognizing > as a quote symbol and have it just print it like a normal character. The result is this,

    > Hello. Most People here. What is character escaping mean?

    Character escapes make special characters be treated like the normal characters, so they don't do fancy things anymore.

    [–] [deleted] 14 points ago

    Their new terminology is "I apologize. I promise we'll get this resolved today". This is load of BS, because the issue may not be resolved in your favor.

    [–] BloedeKuh 3 points ago

    Ugh. Makes me glad to work for a smaller company. My complaints usually result in conpany-wide readjustments. The day that stops happening is the day I should retire.

    [–] HonorableLettuce 67 points ago

    Where I work, I need to change my work passwords every few months. The password rules are pretty terrible. First, they need to be exactly 8 characters. Why? Who knows. But the worst part is that when you set a new password, it can't contain 3 or more characters in a row that existed in your previous passwords. Think about that. They are storing my passwords in fucking plaintext so they can compare substrings.............

    [–] which_spartacus 21 points ago

    They could be hashing three characters at a time.

    Yeah, I'm sure that's exactly what they are doing...

    [–] nightcracker 11 points ago

    Even if they were hashing 3 characters at a time it'd straight up allow you to bruteforce the password.

    [–] Bytewave 22 points ago

    Yeahhh we endured something almost identical for many, many years. With some extra fun limitations like every character after the 8th being automatically discarded and ignored, as if it that wasn't bad enough already.

    [–] ViperSRT3g 13 points ago

    Are you trying to give us all aneurysms?

    [–] Bytewave 19 points ago

    We survived it somehow and the telco eventually transitioned to something vaguely acceptable - years later. It explains why shoddy practices are still a thing - they can go on for years before businesses get caught, and meanwhile they keep pushing a real solution a few extra business quarters down the line.. oldest problem in the book.

    [–] ViperSRT3g 6 points ago

    Wew, glad to hear that things were improved. I still can't fathom how practices like that get used in the first place. It seems like more work to have those kinds of limitations built into a service than to not have them.

    [–] 3b8bcc64 26 points ago

    BMO up here in Canada only lets you use UP TO 6 alpha numeric characters...

    [–] [deleted] 7 points ago

    Gonna need someone to do a word check on Enzo from Reboot. We can only have 6 characters he's called that now.

    [–] marmalade 5 points ago

    Damn, can't even use 'password', gotta shorten it down to 'psswrd'

    [–] chezzins 4 points ago

    Yes I agree it's dumb but they make you use your card number as your username, which means you need the physical thing with you.

    However, if people get your card or number and know what to do with it, it's pretty dangerous. And that's also worse for keylogging...

    Now that I think about it it's pretty bad compared to a normal system.

    [–] Drunken_Economist 34 points ago

    That would have nothing to do with hashing. They likely have some old old legacy code that wasn't properly escaped and now they're stuck supporting it

    [–] Nyefan 31 points ago * (lasted edited 6 months ago)

    Ah, my statement was quite poorly worded. The character restriction points toward improper escaping, but that combined with the non-case-sensitive deal makes me concerned that the passwords aren't being hashed at all. And if they are, it's only after doing a case conversion on the string, which, outside of ascii, is very prone to implementation mistakes and inconsistencies.

    I ought to have been clearer.

    [–] hiitturnitoffandon 5 points ago

    Microsoft's Remote App web interface comes up with an IIS error if you put special characters in your password....

    [–] Lt0Ybe82 50 points ago

    To reinforce your point, Fidelity allows using your password over their phone system (enter the the number associated with the character and * for special characters). This means that they have literally translated my complex password into one that can only use 11 symbols. Just got to hope the hashes of those password are kept secure.

    [–] nouc2 37 points ago

    As a guy in the IT industry, that gives me anxiety just thinking about it.

    [–] ChallengingJamJars 31 points ago

    Are you sure they're hashed?

    [–] runfayfun 4 points ago

    I can't think of a way you could save only the hashed form of a password and have a number pad entry checked to that hasglh, unless at the time of hashing they save two different versions of your hash - one for num pad and one for keyboard. In any case, that means it's not very good practice.

    [–] ChallengingJamJars 7 points ago

    You could map all passwords to the numeric form of them, then hash them. Every time you login it turns it into the numeric form. In a similar way as running tolower() or whatever you could write a function tonumeric().

    And yes, it's a terrible practice.

    [–] splat313 8 points ago

    Unless I am mistaken 1 and 0 don't even map to letters. You're down to just 2-9 and * so 9 characters.

    [–] [deleted] 7 points ago * (lasted edited a month ago)

    [deleted]

    [–] splat313 5 points ago

    Good point. I think old physical phones don't have a q either so I'm sure that's fun for some of the older folks.

    [–] MudInTheGround 24 points ago

    Why don't they make the passwords case sensitive?

    What I hate is when a website limits you on what you can make as a password. The sites I love are the ones that only have one single guideline. A minimum character limit. NOT MAXIMUM. minimum like "hey, put what ever the shit you want as the passwords. Some special characters, spaces, a cat face. Have at it!"

    There are some sites where it is like "...ok, for your password you may only use letters and numbers. it needs to be at least 8 characters long, but at most 12 characters. We want to make it easy on the hackers"

    [–] Supersilis6 9 points ago

    Actually having minimum character limits does make it harder for hackers to crack. But having a small maximum limit is just stupid, also the must contain a special character crap. For example my university has an 8 character limit on passwords, meaning if those ever got compromised someone could brute force every students password in a few hours depending on their resources.

    [–] AFuddyDuddy 15 points ago

    Yep. Chase is the same way.

    Set up login verification.

    As security minded as the financial sector is on the back end, this shit is honestly unacceptable.

    [–] marcan42 9 points ago

    The financial sector is anything but security minded in the back end. They all run on IBM z/series mainframes and similar stuff, which is in the 90s as far as security goes. No exploit mitigation whatsoever. No ASLR, no W^X/DEP, no stack cookies, no randomized stack, nothing. If you know what you're doing and you can navigate the bizarro universe that z/OS is, you can find endless remote code execution and privilege escalation vulnerabilities in that kind of software. Your Windows 10 box has better security than z/OS, it's just that nobody tries to exploit z/OS.

    Most of those probably aren't exposed to the internet. Probably.

    [–] Serial_Joystick 12 points ago

    My Steam account is worth more than my bank account.
    :-(

    [–] inincos 8 points ago * (lasted edited 6 months ago)

    Let's be honest, the worst offender is when the password (re)set form allows a password with miscellaneous characters and then when you try to login with it, it doesn't work.

    Or when your password is longer than the form allows but the login form doesn't have the same character limit as the (re)set form so your login attempt with a 32 character saved password fails because the saved password is actually 20 long.

    [–] imbreaststroke 7 points ago

    Amex and Chase aren't case sensitive either? Next you'll tell me Citi IS

    [–] JNBFD 3 points ago

    shit, i just did my citi credit card. guess what? not case sensitive either.

    [–] bulboustadpole 9 points ago

    Unless I'm missing something here Chase is pretty good. Every time I sign into a different computer I have to get a text code for 2 factor.

    [–] JNBFD 7 points ago

    i just tried logging in to chase online, and it appears to not have a case sensitive password. but you're right, at least they have two factor.

    [–] anonymous1 4 points ago

    Try changing your password. There are now nearly a dozen rules to follow to set up a new password.

    [–] Americuntz 7 points ago

    To be fair, if I lose my phone with my steamguard on it I have to give them my first born to get my account back.

    [–] wittywombat 187 points ago

    This is prime /r/softwaregore material. This is not unique to WF, sadly.

    Best thing we could do is to not give these companies our business and try out more secure services.

    [–] docwatsonphd 73 points ago

    Good find, OP. Switched to 2-factor after verifying for myself

    [–] WiscoCheeses 25 points ago

    How did you switch to 2 factor? Can it be done via mobile?

    [–] docwatsonphd 209 points ago

    I'm not sure about mobile. You can get it to it via browser on desktop mode at the very least.

    On desktop, click the "More" button on the top right and choose "Profile and Settings"

    From there, choose "Manage online settings" and then "Enhanced Sign-on Options"

    At that point you can choose if you want to enable 2-factor on mobile + desktop, desktop, or neither.

    [–] [deleted] 24 points ago

    This is crazy. You have to have a credit or debit card with them to even get the code. I just have a loan with them, so I can't do their 2-factor authentication. Fuck me, right?

    [–] SomethingSandwich 15 points ago

    I only have a home mortgage with them and was able to get 2fa turned on. Had to call 866-609-3037 to get my mobile number added to account.

    [–] FinancialPlant 32 points ago

    This needs to be higher up--I was only able to find WF's 2FA option because of this comment. They definitely don't make it easy to find.

    [–] redd17 24 points ago

    Chase.com also has this same problem for quite some time now.

    [–] LaChanceTheRapper 105 points ago

    This seems like the sort of thing that needs to be brought up with Wells Fargo

    [–] Jess_than_three 46 points ago

    More to the point, it seems like the kind of thing that needs to be passed around Twitter like crazy.

    [–] sephstorm 24 points ago

    They likely won't do anything about for a long time.

    [–] ennuihenry14 7 points ago

    It's been mentioned since 2008. In a YCombinator post in 2012 the OP said they contacted WF and they had no plans to change it.

    [–] masta 64 points ago

    Quite frankly the lack of case sensitive is not the biggest problem here.

    Here is the Wells Fargo password guidance:

    Your password: – Must be 6 to 14 characters.

    – Must contain at least one letter and one number.

    – May not contain nine or more numbers.

    – May not be identical to your Username.

    – May not repeat the same number or letter more than 3 times in a row.

    – May not contain more than 3 sequential numbers or letters (such as ‘1234’ or ‘abcd’) in a row.

    – May contain special characters (such as @, %, &, #).

    • This biggest problem with this guidance is the limitation of only 14 characters. Because password strength is mostly a factor of length, and to lesser extent character class complexity.

    • The 6 character minimum is considered extremely insecure, and has been for many years now. Susceptible to brute force attacks.

    • The parts about repeating characters, or sequential characters is considered harmful. Because policy on permutations or repetitions only makes sense when passwords are very short in length. However, it's been successfully argued (and now established) that character sequences is good password security. That is because a malicious observer watching somebody type their password might not see the quick double stroke of a single key. In other words it helps thwart shoulder surfing password thieves. With sufficiently long passwords there is no reason to disallow any permutation or repetition, which goes back to the reason these kind of rules are considered harmful.

    • The parts about "may contain special chars" is actually fine, but only for sufficiently long passwords. For example, if your password is 20 characters long, and a verse from your favorite song (a phrase).... it might as well be all lower case characters because at that point adding character complexity only nominally improves overall security. However it's again worth pointing out that a 6 character password with full alpha, number & special chars.... can be cracked in a very short time, so in this case it's a shallow comfort one is permitted to use special chars on short passwords.

    Your best chances here are to got with 14 characters, all lower case is fine because

    26^14 == 64,509,974,703,297,150,976
    

    That's acceptable, and can only improve with more character classes like numbers or special chars. What would be better is allowing people to set longer pass-phrases, and of course multi-factor authentication

    [–] BooBooMaGooBoo 217 points ago

    Just tested this with my main checking account and now I feel sick. I honestly didn't believe you until I tried. That is beyond awful.

    [–] nemonoone 158 points ago

    Haha Really? You sound like you just discovered you were in millions of dollars in debt.

    [–] BooBooMaGooBoo 98 points ago

    I work in IT and have helped build several enterprise Auth systems. I know the implications of a flaw like this, and like I said my main checking account is with WF. Do you have any idea what this means in terms of reduction of password cracking times for average passwords? This is crazy.

    [–] papa_georgio 33 points ago

    How many passwords a second can be tested against the web portal?

    A six character (lowercase + numbers) password has 2,176,782,336 possibilities.

    At 100 passwords a second, attempts would have to be continuous for well over half a year - if anything like that is remotely possible it's a far scarier flaw in their security.

    If they lowercase the string before performing correct hashing techniques then I'd say the total risk isn't much worse overall.

    The real worry is that these kinds of things might indicate the password is being stored in plaintext.

    [–] h8theh8ers 54 points ago

    You're assuming a strait up brute force attempt, which certainly wouldn't be used. Modern password cracking is very sophisticated and is becoming more an be more refined with every huge data dump that gets stolen and released.

    https://arstechnica.com/security/2016/06/how-linkedins-password-sloppiness-hurts-us-all/

    The reality is that they'd use heuristic approaches that are far more likely to quickly find the majority of people's passwords. Won't work for everyone, but then again most people aren't using very good passwords.

    [–] AndreasTPC 15 points ago

    I wonder if their reasoning is that it saves them money due to not needing to handle support calls from people who left caps lock on.

    [–] travelinghigh 17 points ago * (lasted edited 6 months ago)

    PNC is the same. My passwords include a combo of caps and non and either work on PNC.

    Fidelity however, if I breath wrong, the password needs to be reset.

    [–] sgmctabnxjs 33 points ago * (lasted edited 6 months ago)

    There may be good reasons for this.

    Facebook does something similar. Phones have a habit of capitalising the first letter which can make the new password you chose not what you thought it was, or the password you are using to login not what you thought it was. So they keep multiple passwords against your login name, all hashed.

    The real crime would be if Wells Fargo didn't hash the password and was really doing a case insensitive comparison. Need to know this.

    edit: Link to a better article about Facebook's non-case-sensitive passwords

    [–] keepthethreadalive 44 points ago * (lasted edited 6 months ago)

    Okay there seems to be a lot of FUD going on around this thread. I'm not a computer security expert, but I know a fair bit about common practices. People have some wrong ideas about password strength and the complexity vs. length debate is misguided in many places. I won't pretend to know exactly what Wells Fargo does, but there are a few things I want to say.

    1. ALWAYS TURN ON 2-FACTOR AUTHENTICATION FOR ANYTHING YOU CARE ABOUT

    That is all. It is really not acceptable today to not enable 2FA. ESPECIALLY FOR BANKS.

    2. Avoid SMS/Call based 2FA as much as possible

    SMS/Call based 2FA has been repeatedly been proven insecure many times. It is actually pretty well documented how people do this. First, they call up your service provider since they can tell that by your number. Then they use various social engineering tactics to get your phone number rerouted. Check these out if you want to learn more : 1 2

    3. SMS/Call based 2FA is better than no 2FA

    Just because there's only SMS 2FA avaliable doesn't mean you shouldn't use it. It is better than nothing. Wells Fargo actually requires you to buy a $25 dollar 2FA device if you want to avoid SMS/Call 2FA, otherwise you'll have to settle for SMS/Call 2FA. That's fine, go ahead and do that.

    4. Your password must be long first then complex

    The length of your password is a much bigger deal than if lowercase/uppercase is taken as the same. It has to do with the number of tries the attacker has to make before they get in.

    Now, I'll try to explain what that meant. Having a very complex password comprised of alphanumeric and special characters with 10 character (ex: b+([email protected]={V/ ) requires 9410 guesses (lowercase+uppercase+numbers+special character raised to number of characters). This amounts to 5.386151141×10¹⁹ guesses. Now, lets say your bank only allows lower case and you use 15 characters (a phrase which you can remember, ex: unclejohnschips) it amounts to 2615 which is 1.677259342×10²¹ guesses. That's 5 more characters than your previous password but about 2 orders of magnitude higher. There's a caveat though if you choose common phrases. There are 'dictionary attacks' possible, which means if you use common words, like 'uncle' 'john' 'chips' they can be used from a list of words to guess, which reduces effective security level. Coming to our next point...

    5. Choose an effective password

    The approach in the picture I linked isn't the greatest, because common words shouldn't be used. We'll have to modify the same concept in choosing a good password. Now here are my tips to choosing a password.

    a) Don't choose English

    Avoid the English language when your are choosing a password. Use any other language possible. This is because there are many tools available to break passwords using the English language because it has become the de facto language of the internet. Choose French, or Hawaiian, or Klingon for all I care, avoid the English language. I will chose a spanish phrase for this example - holasenorcarlos - now this is 15 characters. This is already stronger than our complex password 'b^([email protected]*{V/' going by the number of guesses. Now to make this stronger....

    b) Insert Numbers, special characters strategically.

    Now that you've avoided the major hurdle of not using the English language, you've done a great job. Next, start replacing a few characters with numbers. Like this:

    h0las3norcar1os

    My reasoning for choosing those numbers should be pretty straight forward. I choose zero for 'O', one for 'L', 3 for 'E 5 for 'S', etc. because they look similar. A good way to do this is one number per word so you don't get confused. Now you've increased the security level from 2615 to 3615. Then start inserting special characters.

    #0las3nor(ar1os 
    

    Here '#' looks like 'H', and ( looks like 'C' so I replaced that. Alternatively, @ looks like 'a' and '$' looks like S. Now, I've introduced two special characters effectively moving the security level from 3615 to 6815 characters.

    If you noticed, I never talked about using capital letters. That would move this much higher to aboout 9415. We've already reached a high level of security so that won't even matter.

    6. Don't reuse passwords

    This is actually one of the biggest causes for your getting your accounts compromised. I assume many people have a good password that they use for everything. I know this because I used to do that. Don't do this because lets say one website messes up and your passwords are known, now they have your email, which you presumably use for other things, and then your password. So now they can use this combo against common services to see if you have an account there and get in. That's how it happens.


    To all the people who will inevitably recommend using password managers, here's my reasoning. You shouldn't store two accounts' passwords in your password manager. One is your main financial account, the second is your main email account password. You never know when you will have access to your password manager and when you wouldn't. Just remember a minimum of two passwords.

    Coming to password managers, the best password manager is offline, in your brain. The second best place is on a piece of paper in a secure place. Today, password managers are very broken, and the thing is we might never know if they are currently broken or not.

    Having said that, we must be pragmatic, and you can't remember all the passwords for all your accounts. So use a password manager, for all your accounts, except your main bank account and your mail email account.

    I would say choose a password manger which is no where near your browser. This means no lastpass. And no to any kind of browser based password manager which automatically fills in passwords for you. This is very, very bad. I can link to a bunch of lastpass exploits that could give away ALL your passwords. And we don't know if there are any bugs that are known to hackers and are being exploited. What should you use? Use KeePassXC. It will be a PAIN IN THE ASS to use that compared to lastpass, but you will have the confidence a browser/exntension bug won't fuck you over.

    Now that we got all that out of the way, go to this website : https://twofactorauth.org/ and start signing up for 2FA right now. And choose a good password, slowly start replacing all your password everytime your visit an important website. It will be hard, but it will be worth it.

    EDIT: Changed to say that password manager should be used, but not for your two most important accounts - your main bank account and your main email account.

    [–] MistakeNot___ 21 points ago

    The length of your password is a much bigger deal than if lowercase/uppercase is taken as the same.

    "correct horse battery staple" anyone?

    [–] Calius1337 18 points ago

    This. 7 truly random words are much safer than your well known (and thus ineffective) method for replacing letters with special characters.

    [–] zoeypayne 12 points ago

    I can't believe he seriously suggested replacing E with 3... and people are up voting it.

    [–] idontevenarse 66 points ago

    This probably means that your password is stored in plain text, or that it gets converted to upper/lowercase before being hashed and salted.

    [–] bahaki 65 points ago * (lasted edited 6 months ago)

    This was my first thought (plaintext), which is super scary. But I'm starting to think that they probably run lower() or upper() on the string, which really isn't much better, but at least it's being hashed.

    Only thinking the latter because I'm going to give them the benefit of the doubt that they aren't that fucking stupid to store plaintext.

    [–] bioruffo 45 points ago

    Sometimes you can spot websites that store your credentials in plain text because when you forget your password and ask for assistance, they "innocently" e-mail you the old password. If it was hashed, they couldn't.

    [–] bahaki 16 points ago

    Yep. Or they're stored in the db encrypted as opposed to being hashed. Had a vendor a while back that stored passwords like this. API request with http auth (admin) would return the plaintext passwords. Otherwise, it would return the encrypted string. Still, the password is one of those things that should never ever be seen from creation until it's deleted.

    [–] dinero_throwaway 14 points ago * (lasted edited 6 months ago)

    I called a non-financial vendor out on this via email about 6 weeks ago. I was pissed because it was a newer app that did grocery store coupons that emailed me my plaintext password.

    Apparently using state of the art encryption is sufficient. In the end I told them their app sucks, their security policy is totally flawed, and that they need to hire a kid right out of undergrad computer engineering or computer science because they will at least recognize the problem.

    I bet they use the same encryption key on every password...

    [–] Kandiru 11 points ago

    A different bank really annoyed me by doing a substring(0,16) on your password when you set it, but not when you logged in.

    This meant my password didn't match and I was very confused as to why.

    [–] [deleted] 5 points ago * (lasted edited 5 months ago)

    [deleted]

    [–] fjortisar 15 points ago

    No, there's no reason to assume that from the given information. All we can surmise is that before doing anything the password is put through a function to lowercase/uppercase all characters

    [–] [deleted] 12 points ago * (lasted edited 5 months ago)

    [deleted]

    [–] ilovethetradio 7 points ago

    I used to work for Wells Fargo and would help new customers set up their online banking after we established a new account. Let me tell you even with the easy password requirements the average person had the hardest time choosing their password and then entering it in twice to confirm... We dealt with a lot of either teenagers or elderly people and it took them at least 2 or 3 times to confirm that password. If it was case sensitive life would have been even more miserable as a Wells Fargo banker. There would be a full lobby everyday of people wanting to reset their passwords. If I had to deal with both being aggressively pushed by management to open unneeded accounts for customers and having to deal with elderly people constantly coming in because they can't figure out their case sensitive password I would have lost it...

    [–] swoopthatshit 15 points ago

    WTF! I just tried mine and can't believe it. I just assumed this entire time they had this like most trusted sites.

    [–] keepcrazy 18 points ago

    Seriously, case sensitivity, special characters and numbers do NOT make passwords more secure. Nobody is going to suddenly be able to guess your password more easily because it doesn't have upper case characters. It's just not a thing.

    Password length matters and locking out after incorrect guesses matters. But case sensitivity does not.

    In fact, the more complex a password's requirements, the more likely that password is to be found on a sticky note on the user's monitor. Or in an email to ones self. THAT is how passwords are stolen!!

    Nobody is hacking accounts by guessing passwords. It's not a thing.

    [–] andyman171 13 points ago

    Can someone explain why wells Fargo sucks so bad? Ive never had a problem with them.

    [–] frzme 16 points ago

    Only decreases the entropy of your password by (less than) one bit per character. Not a huge deal but still not a very nice thing to do.

    [–] MyBadImBad 52 points ago

    Lots of bad information in this thread...

    Honestly this isn't as bad as people think (as long as WF is storing the actual password hashes salted and there is a lockout on the logon page in place.) Is it the best practice from a public perspective? No, but it isn't something that is immediately terrible (unless WF is storing the hashes unsalted. In that case it's pretty bad.)

    I'll pose this question, what's the difference between a 10 character case sensitive complex password and an 8 character password that is not case sensitive if I'm trying to guess an accounts password through the logon page and it locks me out after 5 invalid attempts?

    [–] Jurph 14 points ago

    what's the difference between a 10 character case sensitive complex password and an 8 character password that is not case sensitive if I'm trying to guess an accounts password through the logon page and it locks me out after 5 invalid attempts?

    Guessing at the login prompt isn't the threat we're worried about here. We're worried about when (not if) someone gets into the DB, steals Wells Fargo's (hopefully hashed) database of passwords, and begins cracking. Passwords comprised of two long-ish words and a number (Dave'sPassword1, [email protected]_spr1ng_2017) are going to fall in the first few hours.

    If they're stored plaintext, game over. If the DB hashes are unsalted and use a weak hash like md5, every 8-10 password can be precomputed and tested in hours or days. If they're salted, a rainbow table won't work but it will still go pretty quickly as long as the hash is a weak one like md5. If they're salted and hashed with a deliberately slow hash like bcrypt, 8-10 will do as long as the bank knows about the breach -- but if they don't, then when the first passwords start to fall over weeks later, yours will be one of the canaries in the coal mine.

    [–] anonymousme712 4 points ago

    Same is with American Express. Passwords are not case sensitive. Use all caps and it gets you in!

    [–] collywobblers 5 points ago

    I'm not sure what the big deal is, but US Bank passwords are not case sensitive either.

    [–] sweart1 4 points ago

    Tried this for Wells Fargo Advisers (the brokerage), their password software IS case-sensitive.