III New Website

benalder284

Anyone else NOT had their monthly direct debit taken from their bank account which normally happens for me around the 10th (i.e. in the middle of the move to the new site)?


Overall - can live with the change; don't actually use the site that much - passive portfolio with minimal re-balancing usually done via re-directing monthly contributions.

LHW99

Didn't manage to get the x-ray tool working, but that may be because its accessed using a cross-script which are turned off by default in my browser.
Otherwise found most of what I wanted (after a quick panic because it shows shares / IT's and funds on different tabs rather than all together).

aguy187

What's to stop them storing each character separately and securely?

Well, they could be hashing each character individually and storing them all, this would still be less secure than the old system with a password and pin, provided the old system stored the password correctly. More likely they're not hashing the password at all, or they are encrypting it in a reversible way. Hopefully if the latter they are using some kind of black box type solution where the validating characters go in and 'Yes' or 'No' comes out.

Regardless of the method, the new single password system is both less secure and less convenient(*) than the old.

(*for me at least, my passwords for all sites are the longest strings of random gibberish the sites will let me have)

EdSwippet

aguy187 wrote: »

More likely they're not hashing the password at all, or they are encrypting it in a reversible way.

I don't see this as necessarily "more likely" at all. There are several ways to store only hashes and still request n-of-m partial passwords. For example, generate and store multiple hashes for every account, one for each implemented permutation of n-of-m password challenges.

aguy187

assuming you are correct, as I said: "this would still be less secure than the old system with a password and pin".

EdSwippet

aguy187 wrote: »

assuming you are correct, as I said: "this would still be less secure than the old system with a password and pin".

I don't see why.

But even if it is, there is also a separate and distinct full 'dealing password' that is required for trading, for cash withdrawals, and for any change to nominated bank account.

cloud_dog

aguy187 wrote: »

Regardless of the method, the new single password system is both less secure and less convenient(*) than the old.

I would disagree. It enhances security, just in case you have a key logger on your system

aguy187

I hadn't setup a dealing password, but I have now!

If you'd like some light reading on why standalone "give us x characters from your password" systems are eminently hackable I can recommend this study:

groups.inf.ed.ac.uk/security/passwords/pps.pdf

(sorry, for the format, I'm not allowed to post this as a link)

cloud_dog

aguy187 wrote: »

I hadn't setup a dealing password, but I have now!

If you'd like some light reading on why standalone "give us x characters from your password" systems are eminently hackable I can recommend this study:

groups.inf.ed.ac.uk/security/passwords/pps.pdf

(sorry, for the format, I'm not allowed to post this as a link)

That's great but that is basically a statistical analysis, where the more characters you have to enter the higher the probability of it not being correct. Its basic premise is also focussed on the current implementation of a number of primarily UK institutions rather than defining the best protocol to use for this type of password and analysing accordingly.

Indeed, the report actually states...

With k=1, only the PIN case yields a >50% success rate (k=2 for the alphanumeric case), so it can be argued that the partial mechanism provides some improvement over normal password authentication where an observer learns a complete password in a single step.

Where an account is hacked via brute force attack on an institution you will have far more financial protection (recovery of monies) than if someone sees, learns, guesses your password and simply withdraws funds.

Whilst brute force or stealth hacking must by their very nature affect many many people in a single attack it would be interesting to know the propensity of unauthorised people uncovering passwords and using this information fraudulently.

I think attributing 'value' to a password (or any security measure) is really about who is at risk? For a brute force attack I would be covered, for an individual finding out my credentials and using them and for me to prove it wasn't actually me would in all likelihood be nearly impossible.

EdSwippet

aguy187 wrote: »

If you'd like some light reading on why standalone "give us x characters from your password" systems are eminently hackable I can recommend this study...

That n-of-m partial passwords are more easily cracked than full ones either by brute force or by dictionary attack is not mysterious. A partial password scheme is conceptually equivalent to each account having several shorter passwords, with an element of randomness over which the site chooses as a challenge. This presents an obviously larger attack surface than full password input.

It's a trade-off that enables human operators to query a user's password without the former necessarily obtaining the full password (phishing and other behavioural traps excepted!), but I don't think "eminently hackable" is a fair characterisation.

With full alphanumeric passwords and account locking after a small number of unsuccessful tries -- three, typically -- the probability of random guesses succeeding even on short password segments is tolerably small. A site's insistence on both letters and digits in a password helps to defeat dictionary attacks, but as usual the best defence against both letter frequency and dictionary attacks, either for n-of-m partial passwords or full ones, is not to use words in the first place.