Has HL been hacked? New passwords required.

TrustyOven

Yesterday I received a letter from HL saying that when I next login I have to create 2 additional passwords and use those instead of the master password to login.

"Once you've set up your new details you'll no longer need your Master Password and Trading Password."



So it's safe to forget both of those passwords, at least what I read from this.



Why would this be required unless the existing DB of passwords was in jeopordy?

lisyloo

I!!!8217;ve not had that email.
Don!!!8217;t click on any links in the email.
Only go directly to hl.co.uk

Alexland

We both received a letter through the post with a nice glossy leaflet - looks legitimate.

They will only ask you to provide the new details during the normal login process in the next few weeks.

There's also a change to linked accounts where the account owner will have to nominate if the link is 'view only' or 'can trade'.

Alex.

Browntoa

Not unusual , I've had forced password changes on other sites and requirements for additional layers of password or "two step" involving one off codes.

Companies review security all the time , or are responding to a known spate of fraud

Browntoa

A quick check shows they're introducing two step password login via drop down boxes to defeat keylogger software

TrustyOven

Browntoa wrote: »

A quick check shows they're introducing two step password login via drop down boxes to defeat keylogger software

Thing is, they've had drop down box passwords for the login for some time already, so i'm not sure I buy into the anti-keylogger theory. They could have turned the trading password controls into dropdown boxes too if they wanted to be anti-keylogger resistant.


But instead, they are forcing you to generate new passwords as if the old ones are no longer secure.

Alexland

If the current passwords were compromised or they were increasing the complexity rules it would be a lot easier to check the last password change date on login and enforce a change if required.

This appears to be in support of a process change on their side to move from logon/trade passwords to an "online password" and "secure number". No idea why but it sounds a bit backwards - I prefer to have passwords to enable functions rather than access methods.

Alex.

jamesd

Yes, it does seem that they are reducing overall account security with this change.

tempus_fugit

lisyloo wrote: »

I!!!8217;ve not had that email.
Don!!!8217;t click on any links in the email.
Only go directly to hl.co.uk

It was a letter, not an email. My wife and I both received such letters from HL as well.

In answer to the main question, they are upgrading their security methods, so nothing to do with compromised passwords.

TrustyOven

tempus_fugit wrote: »

In answer to the main question, they are upgrading their security methods, so nothing to do with compromised passwords.

But that's the simple, dismissive explanation.


Why would they need to if their security methds were good to start with?


Any why reduce it to a number pin which has 10 permutations per digit rather than 26 for a letter?


And why not just apply a better password policy to existing passwords?

Chris_Mac

There is far more to system security than just the part that the users see (eg. Password entry and management). This does not seem like anything sinister, it appears to be a security upgrade. Reducing the second password to numerics shouldn't be an issue since they undoubtedly limit the number of failed attempts, before locking the account.

Regards,

Chris