One of the most basic rules of password security is to use a mixture of lower-case and capital letters. But that approach won’t make any difference if you use the Commonwealth Bank’s NetBank service, since it treats both as the same. In other words, as far as CommBank is concerned, Password1 is exactly the same as password1 and PASSword1. (Those are terrible passwords anyway, but the lack of case sensitivity makes them much, much worse.)
We were tipped off to this by a reader (thanks Mark!), and a quick test with my own NetBank account, which I always thought had a case-sensitive password, confirms that it doesn’t care whether I use all caps, all lower-case or a mix of both.
A quick glance at the bank’s own advisory page on passwords is further evidence, since the page doesn’t make any reference using upper and lower case. It does mention most other elements of a secure password — a hard-to-guess phrase, a mixture of letters, numbers and punctuation, not using dictionary words and not sharing it — but that one is missing.
We’ve contacted Commonwealth Bank for comments, and we’ll update if we hear anything material. (UPDATE: Here’s the bank’s response.) In the meantime, if you do have a NetBank account, definitely make sure that it also includes punctuation and numbers, and that it ideally has the full 16-character length. A text-only password on NetBank would be a bad idea in any case, but the fact capitals don’t matter makes it a far lousier choice.