Commonwealth Bank Netbank Passwords Don’t Care About Capital Letters

46
Commonwealth Bank Netbank Passwords Don’t Care About Capital Letters


One of the most basic rules of password security is to use a mixture of lower-case and capital letters. But that approach won’t make any difference if you use the Commonwealth Bank’s NetBank service, since it treats both as the same. In other words, as far as CommBank is concerned, Password1 is exactly the same as password1 and PASSword1. (Those are terrible passwords anyway, but the lack of case sensitivity makes them much, much worse.)

We were tipped off to this by a reader (thanks Mark!), and a quick test with my own NetBank account, which I always thought had a case-sensitive password, confirms that it doesn’t care whether I use all caps, all lower-case or a mix of both.

A quick glance at the bank’s own advisory page on passwords is further evidence, since the page doesn’t make any reference using upper and lower case. It does mention most other elements of a secure password — a hard-to-guess phrase, a mixture of letters, numbers and punctuation, not using dictionary words and not sharing it — but that one is missing.

We’ve contacted Commonwealth Bank for comments, and we’ll update if we hear anything material. (UPDATE: Here’s the bank’s response.) In the meantime, if you do have a NetBank account, definitely make sure that it also includes punctuation and numbers, and that it ideally has the full 16-character length. A text-only password on NetBank would be a bad idea in any case, but the fact capitals don’t matter makes it a far lousier choice.

Comments

  • Westpac is far worse. They have an on-screen keyboard you have to click on to enter/choose an online banking password, and it ONLY has Numbers and Capital Letters, no shift key, no caps lock, no other characters!
    Angus, It just astounds me – the number of “secure” sites such as Banks, Online stockbrokers, government agencies that FORCE these terrible passwords on users. Centrelink limits me to 6-8 letters!

    • I was gonna say the same about westpac, but also when i first sigend up, i was going to have a long password, but they let you have a MAXIMUM length of 6.
      According to http://www.mandylionlabs.com/PRCCalc/BruteForceCalc.htm
      Thats 2,176,782,336 combinations that would only take 0.06hours to bruteforce (and thats after the /2 for law of averages, so 0.12hours for all combos), hopefully westpac lock the account after the first half million tries.

      Of course ING only has 4 digits which is only 10,000 combos which is stupid.

  • I think it was NAB that would accept more characters for a password but it would only check the first 6 or so.
    eg pass11 would be the same as pass11asdfasdf

  • It’s not that bad, if you had my login and password you would still need my phone to transfer any of my cash out, it was much better when I had a dongle to generate a number to login with, lost it, however I guess those have been compromised too.

  • Definitely not ideal, however to play devil’s advocate, Commonwealth Bank use their NetCode system to secure internet banking transactions & transfers, so even if someone does access your account (shame on you for the poor password) they’re not really able to do anything except view your balances, etc. I personally prefer the ease of access versus some other banks’ requirement to log in using passwords, SecurID and a security question – that get’s old fast.

      • Thats kinda neat, for those that continually accidently have capslock on and dont realise they are shifting at the wrong time.

        Since i doubt facebook would store clear text, passwords to try it against they probably try the entered one if that fails it tries the caps inverted version automatically.

        • In my opinion, its kinda stupid. You can detect if caps lock is activated whilst they are typing the password, why not alert them of their error then instead of having a second (i understand its just inverted case wise) which can grant access to an account?

          • Because its not necessarily an error, and its a good compromise between security and transparent user assistance.

  • Here is a hint to anyone who might read this that writes a password auth mechanism.

    Do NOT .toLower() or .toUpper() first.
    DO Hash the password. (One way hash, (sha1 or crypt))
    DO Salt the password.

    • Yes. It’s been a while since I worked in security, but I remember it struck me as strange when Westpac changed from their 8 character case-sensitive password to a 6 character case-insensitive password. That basically means that although they’re (most likely) storing it in encrypted form, it’s two-way encrypted which means that it’s reversable, i.e. someone could take the encrypted garbage string from their database, and with the right private key, decrypt it. That’s the only way they could have translated my case-sensitive password into a case insensitive one, or compare my case-insensitive input via their little keyboard thingy with the case-sensitive encrypted version. Sooooo crap. They should always do it in one direction, i.e. encrypt the password to store it, and then encrypt the attempt and compare the two encrypted strings.

  • NAB passwords are just as useless. Only 8 characters, no special characters. Its the least secure password I have, when it should be the most secure. At least, according to their login screen “NAB supports National Consumer Fraud Week 2012”.

  • Confirmed Bank of Melbourne ignores case in the password as well.

    Although to log in you need to know the PIN as well as password.

    And looking at the change password screen it says:
    “Your Internet Banking Password must be 6-12 characters, including at least one letter and one digit”

    Why is there a limit on how long it can be?

    • Realistic limits are ok (eg. 64 characters).
      Arbitrary short limits are not (eg. 12 characters).

      Limits are ok to stop your servers being overloaded by some douche trying to get you to hash megabytes of data.

  • ING Direct is pretty bad with this as well. You have your 8 digit client number that you enter as plain text, then a 4-6 difgit PIN number that you have to enter using an on-screen keypad. Anyone looking over your shoulder will be able to gather enough information to log in to your account.

    I sent an email to them with my concerns, and they fired back a stock-standard security email saying how they use industry standard 256 bit encryption, not actually mentioning anything I had talked about.

    • That is an over simplification of the matter. BUT generally longer passwords are better.

      There is just an issue when you are limited in password length to 16 characters.

    • That comic is talking about longer passwords being better than complex ones, however most of these banks are also putting an upper limit on password length.
      Moreover it means they’re either putting everything in upper or lower case before entering it into the db (which cuts down the amount of possible entropy a huge amount), or GASP storing your actual password and verifying it there.
      Nobody should store your password. They should only ever store a salted hash of it. Doing anything else is simply putting everyones details at risk.

  • ANZ doesn’t permit special characters (or spaces) either. BUT it does look like case changes are still effective. I’ve taken this little Lifehacker reminder as a hint to change the length of my password to something less trivial – and have LastPass help to make it totally non-memorable/ nonsensical.

  • So why are we still babying people about passwords? If I can remember a 20 letter long password (a sentence with punctuation) then surely anyone can remember to press capslock?

    The next global security threat will be from people who aren’t willing to step up their game (“Why should I be responsible for virus-checking my USB stick?!”) and not from next-gen viruses.

  • I bank with the NAB and they won’t let me use a password longer than 8 characters and it can only be uppercase, lowercase and numbers. It makes for a terrible system. I’d feel much safer if I could use a longer password and even some basic symbols. I don’t think that’s too much to ask!

  • I need 4 different password systems just to deal with maximum password length and other restrictions. The ultimate worst problem they have is the systems that don’t say that they have a maximum length, but restrict the length of the text box so you type in a longer password which gets cut off,eg. TestPasswo. Then the login box is unrestricted so you type in TestPassword and suddenly the exact same password you typed in is incorrect.

  • So if it doesn’t care if it’s upper/lower case does that mean it’s being converted to a case then salted (or what ever the encryption is) or are they just storing the passwords in their DB in plain text?

  • Bankwest will not allow you to do special characters either. I also found it concerning when I forgot/mistyped my password and get to get it reset, they reset it to my first name (I know it’s only temporary and I am prompted to change it upon first login, but still not best practice).

  • Wespac doesn’t seem to care about capitals either, though you have to use an on-screen keyboard to enter in on their main site you can type it in manually on their mobile version.

  • An 8 character case insensitive alphanumeric password allows for 2.8 trillion possible combinations whereas a case sensitive password increases this to 218 trillion combinations. I can’t see this making much of a difference when you get locked out after a few incorrect goes.

  • Another flaw in cba netbank and they don’t care, is that an ex partner of eight years went and got a new sim card for my phone number which was put in her phone to receive encode to change pass word , changed daily limit to max and took 30000. I had change everything pass word email and my address, but not the client number . guess what i lose. bank won’t return money even though she admitted what and how she did it .. Bullshit excuses from the bank

Log in to comment on this story!