Halifax login

richpoortyke · 18 April at 1:09PM

Hi. Just wondering if anyone else has noticed when logging into Halifax it now states you don't need a password? Seems a bit strange to lower the security and also not inform me about the change. Anyone else has this?

flaneurs_lobster · 18 April at 1:45PM

Same for Lloyds Bank, but not for Bank of Scotland for some reason.

Here's what the explanatory text says

Where has password gone?
We're moving away from passwords to make signing in simpler, as we know they can be difficult to remember. From now on, you'll usually just need your username and memorable information.
There might still be a few occasions when you'll need your password - for example, if you can't use your memorable information. If that happens, we'll carry out a verification step with a text or a call.

Not much of an explanation is it? Our users are too incompetent to use passwords properly so we're getting rid of them? Why is "memorable information" (6-15 alphanumeric characters) better than "password" (8-32 case-sensitive alphanumerics and symbols).

At least my Username is 30 random characters and not my email or given name.

Sort of thing I'd expect of a social media or gaming site, not a bank.

Dare them to go the whole hog and allow you to go password free like Microsoft do.

richpoortyke · 19 April at 5:56AM

It's a poor change in my opinion. Also the site says I will no longer be able to amend the names of accounts. Which is a real shame as I like to set up pots with names so I can budget properly. No idea why that will no longer be possible

wmb194 · 19 April at 7:08AM

https://forums.moneysavingexpert.com/discussion/comment/81968931#Comment_81968931

You'll still be able to change their names in the app.

masonic · 19 April at 8:31AM

With a dictionary size of 36, a 6-15 character piece of memorable information has between 2,176,782,336 and 221,073,919,720,733,357,899,776 combinations. For an online brute force attack, they are asking for 3 random characters, so the chance of guessing those correctly is around one in 46,656.

For my account, even if signing in using my usual web browser, it is asking for a OTP before memorable information, and there is a one in a million chance of getting that right by guessing, so overall the chance of successfully logging in without being able to obtain and unlock my phone, and with no knowledge of my memorable information is one in 46.6 billion. That ought to be enough to prevent someone gaining entry in 3 attempts before my online account is locked. Even one in 46.6 thousand is sufficient given the small number of attempts allowed.

If someone has knowledge of your security information, then the level of complexity is generally irrelevant. Not asking for the full security information makes it less likely it will be accidentally disclosed when logging in. Having two separate sets of "something you know" is redundant.

It's worth mentioning that when Santander did similar, they reduced it to a 6-digit PIN.

It does seem strange they haven't pre-warned us though, any change to a bank's login procedure should be communicated, as changes could be an indicator you are not using the genuine login page.

flaneurs_lobster · 19 April at 9:01AM

@masonic is right, what remains in place is still solid protection.

I wonder if this is not tacit acknowledgement that no matter how many warnings are given and how much advice is offered about making passwords long & complicated, it doesn't really matter

because people will still set it to "password123", the same as all their other passwords
when they get 'hacked' and their account is emptied the bank will still have to reimburse them, regardless of whether their password was "qwerty" or 30 random characters.

Unless the bank can show utter recklessness in your use of online access ("Did you write the password down and stick it to your phone?". "Er….") why bother.

Far more money is lost by people willingly giving it to the internet because they saw a video of Nigel Farage punching Andrew Bailey on Question Time.

A spreadsheet has been done, how much can LBG save by not having to deal with password-related queries and account lock-outs.

Presumably they would have had to run this past their regulators to get sign-off on this?

masonic · 19 April at 9:23AM

The FCA has been pushing financial institutions towards strong customer authentication (i.e. multi-factor) and away from total reliance on passwords. This is not true only of the financial sector, reliance on passwords is generally considered problematic.

The main reason for us choosing long complex passwords is to insure against provider breaches, where a database is stolen and the passwords cracked offline. If the banks are sufficiently confident about their security, then they may see the trade-off between password complexity and customer support to not be worth it. They would obviously be liable for any consequences linked to their loss of password data (but they are by default liable anyway). It's a necessary consequence of asking for random characters from memorable information that this information cannot be stored in the bank's database with the same level of encryption as a password that is always requested in full.

As you say, a static password could be found out by a fraudster in a myriad of different ways, some more negligent than others, so the customer has more plausible deniability. For a one-time code sent to someone's phone and valid for only a few minutes, it is clearer that active participation by the customer is needed if they claim nobody has had access to their phone. Banks do have comeback on customers where they have ignored warnings and given one time codes to fraudsters.

I do not know, but assume it to be the case, that the password is still needed when setting up a new payee and changing your personal details. If it is now only needed in those high risk situations, this could be considered a security enhancement by reducing the risk of exposure of this password during less sensitive use of the services.

wmb194 · 19 April at 9:46AM

https://forums.moneysavingexpert.com/discussion/comment/81969079#Comment_81969079

"I do not know, but assume it to be the case, that the password is still needed when setting up a new payee and changing your personal details. If it is now only needed in those high risk situations, this could be considered a security enhancement by reducing the risk of exposure of this password during less sensitive use of the services."

Yes, it is. In the past couple of weeks when setting up new payees in the app it's begun asking me to enter my full password. In the past it was satisfied with just FaceID on my iPhone.