Commonwealth Bank Netbank Passwords Don't Care About Capital Letters

One of the most basic rules of password security is to use a mixture of lower-case and capital letters. But that approach won't make any difference if you use the Commonwealth Bank's NetBank service, since it treats both as the same. In other words, as far as CommBank is concerned, Password1 is exactly the same as password1 and PASSword1. (Those are terrible passwords anyway, but the lack of case sensitivity makes them much, much worse.)

We were tipped off to this by a reader (thanks Mark!), and a quick test with my own NetBank account, which I always thought had a case-sensitive password, confirms that it doesn't care whether I use all caps, all lower-case or a mix of both.

A quick glance at the bank's own advisory page on passwords is further evidence, since the page doesn't make any reference using upper and lower case. It does mention most other elements of a secure password — a hard-to-guess phrase, a mixture of letters, numbers and punctuation, not using dictionary words and not sharing it — but that one is missing.

We've contacted Commonwealth Bank for comments, and we'll update if we hear anything material. (UPDATE: Here's the bank's response.) In the meantime, if you do have a NetBank account, definitely make sure that it also includes punctuation and numbers, and that it ideally has the full 16-character length. A text-only password on NetBank would be a bad idea in any case, but the fact capitals don't matter makes it a far lousier choice.


Comments

    I think this must be new as I have been rejected in the past when having caps or low cased letter where they shouldnt bee

    I seem to remember having to change my password at some point to include a capital letter... now it doesn't matter?

    Westpac is far worse. They have an on-screen keyboard you have to click on to enter/choose an online banking password, and it ONLY has Numbers and Capital Letters, no shift key, no caps lock, no other characters!
    Angus, It just astounds me - the number of "secure" sites such as Banks, Online stockbrokers, government agencies that FORCE these terrible passwords on users. Centrelink limits me to 6-8 letters!

      I was gonna say the same about westpac, but also when i first sigend up, i was going to have a long password, but they let you have a MAXIMUM length of 6.
      According to http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
      Thats 2,176,782,336 combinations that would only take 0.06hours to bruteforce (and thats after the /2 for law of averages, so 0.12hours for all combos), hopefully westpac lock the account after the first half million tries.

      Of course ING only has 4 digits which is only 10,000 combos which is stupid.

        yeah they lock the account after 3 unsuccessful attempts and you have to ring them up to unlock it

    I think it was NAB that would accept more characters for a password but it would only check the first 6 or so.
    eg pass11 would be the same as pass11asdfasdf

    It's not that bad, if you had my login and password you would still need my phone to transfer any of my cash out, it was much better when I had a dongle to generate a number to login with, lost it, however I guess those have been compromised too.

    Definitely not ideal, however to play devil's advocate, Commonwealth Bank use their NetCode system to secure internet banking transactions & transfers, so even if someone does access your account (shame on you for the poor password) they're not really able to do anything except view your balances, etc. I personally prefer the ease of access versus some other banks' requirement to log in using passwords, SecurID and a security question - that get's old fast.

    No way ... The least security for the most valuable material ... You never expect this ...

    Facebook does the same guys. They have taken user friendliness way too far.

      No. Facebook just have the case-inflection stored.

      Ie. on Facebook PaSsWoRd is the same as pAsSwOrD but not password or PASSWORD.

      Try it.

        Thats kinda neat, for those that continually accidently have capslock on and dont realise they are shifting at the wrong time.

        Since i doubt facebook would store clear text, passwords to try it against they probably try the entered one if that fails it tries the caps inverted version automatically.

          In my opinion, its kinda stupid. You can detect if caps lock is activated whilst they are typing the password, why not alert them of their error then instead of having a second (i understand its just inverted case wise) which can grant access to an account?

            Because its not necessarily an error, and its a good compromise between security and transparent user assistance.

    In a word..... eeep!

    security theatre

    but it has large fonts and yellow everywhere...

    make it worse, tick the "remember client number"

      Years ago they let you save the client number and password!

    Citibank are the same, comon Australia get some two factor authentication like the rest of the world allready

    Yep. Just tested on mine and it's the same.

    And I've been wasting time with cases for years, for nothing!

    Here is a hint to anyone who might read this that writes a password auth mechanism.

    Do NOT .toLower() or .toUpper() first.
    DO Hash the password. (One way hash, (sha1 or crypt))
    DO Salt the password.

      This. They shouldn't EVER be storing your actual password, and if they're salting and hashing then they wouldn't have to.

      Yes. It's been a while since I worked in security, but I remember it struck me as strange when Westpac changed from their 8 character case-sensitive password to a 6 character case-insensitive password. That basically means that although they're (most likely) storing it in encrypted form, it's two-way encrypted which means that it's reversable, i.e. someone could take the encrypted garbage string from their database, and with the right private key, decrypt it. That's the only way they could have translated my case-sensitive password into a case insensitive one, or compare my case-insensitive input via their little keyboard thingy with the case-sensitive encrypted version. Sooooo crap. They should always do it in one direction, i.e. encrypt the password to store it, and then encrypt the attempt and compare the two encrypted strings.

    NAB passwords are just as useless. Only 8 characters, no special characters. Its the least secure password I have, when it should be the most secure. At least, according to their login screen "NAB supports National Consumer Fraud Week 2012".

    Confirmed Bank of Melbourne ignores case in the password as well.

    Although to log in you need to know the PIN as well as password.

    And looking at the change password screen it says:
    "Your Internet Banking Password must be 6-12 characters, including at least one letter and one digit"

    Why is there a limit on how long it can be?

      Realistic limits are ok (eg. 64 characters).
      Arbitrary short limits are not (eg. 12 characters).

      Limits are ok to stop your servers being overloaded by some douche trying to get you to hash megabytes of data.

    ING Direct is pretty bad with this as well. You have your 8 digit client number that you enter as plain text, then a 4-6 difgit PIN number that you have to enter using an on-screen keypad. Anyone looking over your shoulder will be able to gather enough information to log in to your account.

    I sent an email to them with my concerns, and they fired back a stock-standard security email saying how they use industry standard 256 bit encryption, not actually mentioning anything I had talked about.

    Nonsense. The whole numbers/letters/punctation/capitals part of passwords is complete bull.

    See: http://xkcd.com/936/

      That is an over simplification of the matter. BUT generally longer passwords are better.

      There is just an issue when you are limited in password length to 16 characters.

      That comic is talking about longer passwords being better than complex ones, however most of these banks are also putting an upper limit on password length.
      Moreover it means they're either putting everything in upper or lower case before entering it into the db (which cuts down the amount of possible entropy a huge amount), or GASP storing your actual password and verifying it there.
      Nobody should store your password. They should only ever store a salted hash of it. Doing anything else is simply putting everyones details at risk.

    ANZ doesn't permit special characters (or spaces) either. BUT it does look like case changes are still effective. I've taken this little Lifehacker reminder as a hint to change the length of my password to something less trivial - and have LastPass help to make it totally non-memorable/ nonsensical.

    So why are we still babying people about passwords? If I can remember a 20 letter long password (a sentence with punctuation) then surely anyone can remember to press capslock?

    The next global security threat will be from people who aren't willing to step up their game ("Why should I be responsible for virus-checking my USB stick?!") and not from next-gen viruses.

    I bank with the NAB and they won't let me use a password longer than 8 characters and it can only be uppercase, lowercase and numbers. It makes for a terrible system. I'd feel much safer if I could use a longer password and even some basic symbols. I don't think that's too much to ask!

    Same case insensitivity for St George.

    I need 4 different password systems just to deal with maximum password length and other restrictions. The ultimate worst problem they have is the systems that don't say that they have a maximum length, but restrict the length of the text box so you type in a longer password which gets cut off,eg. TestPasswo. Then the login box is unrestricted so you type in TestPassword and suddenly the exact same password you typed in is incorrect.

Join the discussion!

Trending Stories Right Now