We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Has HL been hacked? New passwords required.
Comments
-
All my banks have changed their security process for login over the years. Generally an extra layer to do stuff like set up new payees.TrustyOven wrote: »But that's the simple, dismissive explanation.
Why would they need to if their security methds were good to start with?
You might have a point if people used random letters. But they don't. They tend to use words or names. That means for someone who knows a little about the you, or even someone who doesn't, if they saw the 3 letters entered from the drop down, or heard you on the phone, they might be able to work out or make an educated guess as to the rest of your password. That is less likely with numbers.Any why reduce it to a number pin which has 10 permutations per digit rather than 26 for a letter?
Friend of mine was on a train and sat opposite him was a bloke in a Sheffield Wednesday shirt. He make a phone call, probably to his bank. My friend heard him say "3rd letter - D, and fifth letter E". What do you think his password might have been?0 -
All my banks have changed their security process for login over the years. Generally an extra layer to do stuff like set up new payees.
True. If they added an extra layer that would make sense.
They seem to be replacing the passwords though. That suggests the old ones have been compromised.Friend of mine was on a train and sat opposite him was a bloke in a Sheffield Wednesday shirt. He make a phone call, probably to his bank. My friend heard him say "3rd letter - D, and fifth letter E". What do you think his password might have been?
Numbers might be DoB, I think that was a common theme at one point?
Good point though in general.Goals
Save £12k in 2017 #016 (£4212.06 / £10k) (42.12%)
Save £12k in 2016 #041 (£4558.28 / £6k) (75.97%)
Save £12k in 2014 #192 (£4115.62 / £5k) (82.3%)0 -
Looks like a perfectly straightforward change of login system to me.
Why assume they've been hacked?
There's nothing whatsoever to suggest that!0 -
TrustyOven wrote: »They seem to be replacing the passwords though. That suggests the old ones have been compromised.
No it doesn't.0 -
TrustyOven wrote: »True. If they added an extra layer that would make sense.
They seem to be replacing the passwords though. That suggests the old ones have been compromised.
No it doesn't. There is a continual battle between the methods, tools and processes used to attack security and those defending against them. Changes to address a new potential vulnerability will keep happening and doesn't mean the vulnerability has been exploited.loose does not rhyme with choose but lose does and is the word you meant to write.0 -
TrustyOven wrote: »They seem to be replacing the passwords though. That suggests the old ones have been compromised.
From an IT system perspective...
They are very likely introducing a new system for login security. Once passwords are entered into a system they are not stored in a form that they can be extracted again. It would not typically be possible to migrate the old passwords to the new system unless that feature was specifically built in. Therefore the easiest thing they can do is get you to use your old password to identify you, then present you with an interface to generate the new password in the new system, to migrate you over. Once that has happened the old account/password can be removed.0 -
I think they are weakening the security for mobile phone convenience.They are very likely introducing a new system for login security.
In a world where it was done correctly. I doubt that it was for the original system since a selection of three of the characters was required. The full trading password was needed so they are more likely to have got that right by storing part of a salted hash.Once passwords are entered into a system they are not stored in a form that they can be extracted again.
You can securely do select three systems by generating the permutations when the new code is supplied and storing partial salted hashes of the permutations. Don't have to store much to have high enough confidence that the sequence was known.0 -
From an IT system perspective...
They are very likely introducing a new system for login security. Once passwords are entered into a system they are not stored in a form that they can be extracted again. It would not typically be possible to migrate the old passwords to the new system unless that feature was specifically built in. Therefore the easiest thing they can do is get you to use your old password to identify you, then present you with an interface to generate the new password in the new system, to migrate you over. Once that has happened the old account/password can be removed.
I think your explanation is probably the best one so far. Maybe they are salting the passwords this time and they didnt before.
I wonder how does one implement a salted one-way encryption if the user is given drop down boxes 3 characters - you cant take the whole input, salt it and then pass through char crypt(...) if that's what they use and then expect to be able to pluck out individual chars out of the encrypted stored password unless you use a symmetric algorithm?Goals
Save £12k in 2017 #016 (£4212.06 / £10k) (42.12%)
Save £12k in 2016 #041 (£4558.28 / £6k) (75.97%)
Save £12k in 2014 #192 (£4115.62 / £5k) (82.3%)0 -
Surely they just encrypt and store all combinations (salted differently). Eg if the password is 6 chars long and it asks for 3, there are 20 possible combinations so store 20 differently salted & encrypted values.TrustyOven wrote: »I think your explanation is probably the best one so far. Maybe they are salting the passwords this time and they didnt before.
I wonder how does one implement a salted one-way encryption if the user is given drop down boxes 3 characters - you cant take the whole input, salt it and then pass through char crypt(...) if that's what they use and then expect to be able to pluck out individual chars out of the encrypted stored password unless you use a symmetric algorithm?0 -
TrustyOven wrote: »True. If they added an extra layer that would make sense.
They seem to be replacing the passwords though. That suggests the old ones have been compromised.
Only to someone wearing a tin foil hat.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 354.4K Banking & Borrowing
- 254.4K Reduce Debt & Boost Income
- 455.4K Spending & Discounts
- 247.3K Work, Benefits & Business
- 604K Mortgages, Homes & Bills
- 178.4K Life & Family
- 261.5K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards