We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Who's looking at your internet banking password ?
Comments
-
oldagetraveller wrote: »I'm with StuHolmes - no they haven't. Surely all secured with NBS as they've always been.
There's no need for the FSCS to have all the security information because they surely have no need for the Icesave log in details.
Scaremongering for the sake of it in my opinion.
I'm not concerned in the least.
Yes, as you and StuHolmes say there is no new risk. Still, a reminder about password secuirty is always worthwhile IMHO.0 -
I suppose one can opt for the paper system and wait...and wait. Surely, once money is received accounts are closed so security details become a bit of an irrelevance - unless of course people have used same security details for all the sites they visit.0
-
Hmmm.. Barclays have my full password visible to every member of staff who looks at the correct screen. Not very secure at all.0
-
Instead of using a "Password" - use a "Pass-phrase". It'll be harder to crack and easy to remember, example:
Iamafantasicallygoodlookingbloke10 -
My 16 year old DD opened a bank account and her new pin came and I was surprised to see it is EXACTLY the same as my pin at the same bank.Doing voluntary work overseas for as long as it takes .......
My DD might make the odd post for me0 -
Access to the Icesave system managed by NBS is only going to be required in order to allow customers to confirm their account balance in order to trigger compensation payments to their nominated account.
Importantly, it's very unlikely that customers will be able to change their nominated account at this stage, so access to the Icesave site is going to be useless to a fraudster.
There's nothing to raise concerns in this process and I believe that the FSCS have managed the matter speedily with the minimum of inconvenience to customers and they deserve our congratulations.0 -
"Passwords are stored as a hash" Correct - But the passwords can be cracked in most cases.
Not when properly implemented, multiple passwords can give the same hash so you can't tell which password someone entered even if you try every possible combination of password, plus the passwords are also salted.
Just don't use your windows password for anything else because if someone steals your pc they can break the hash windows uses in minutes even for long alphanumeric passwords.0 -
Whilst this is technically correct, I feel I should add something ... It is fairly trivial to generate a "rainbow table" for any given hashing algorithm and input space - this would give you all possible inputs, and what they hash to. The result could be loaded into a database package, and would give an instant retrieval of all the candidate passwords (as any given input will produce one output, but one output may come from several distinct inputs, as you've said), which could then be tried in turn. What makes this system secured is an account lock-out policy, configured so that it is statistically improbable that someone could try the various candidate passwords before being locked out. As you've said, one could add a salt to the hashing function, which would "randomise" the output. Obviously, in order to preserve the determinism of the function, the salt would either need to be static (i.e. fixed), or calculable based on other data, as the same salt must be used every time a hash is generated for a given account's password. Assuming someone has access to the password hashes, it might not be totally unreasonable to assume they could also have access to the salt generation routine, which would mean a rainbow table attack could still be attempted (although if the salt differs for each account, this starts becoming infeasible in terms of time/space). Perhaps I'm just sceptical, but I also think "are" should be replaced with "should" - passwords should be stored as hashes, and the hash generation should use salt. I've just seen enough security howlers in my time ...Not when properly implemented, multiple passwords can give the same hash so you can't tell which password someone entered even if you try every possible combination of password, plus the passwords are also salted.
Yup, they can be broken extremely quickly, it's quite scary ...Just don't use your windows password for anything else because if someone steals your pc they can break the hash windows uses in minutes even for long alphanumeric passwords.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 354.3K Banking & Borrowing
- 254.4K Reduce Debt & Boost Income
- 455.4K Spending & Discounts
- 247.3K Work, Benefits & Business
- 604K Mortgages, Homes & Bills
- 178.4K Life & Family
- 261.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards