Commonwealth Bank Netbank Passwords Don't Care About Capital Letters

One of the most basic rules of password security is to use a mixture of lower-case and capital letters. But that approach won't make any difference if you use the Commonwealth Bank's NetBank service, since it treats both as the same. In other words, as far as CommBank is concerned, Password1 is exactly the same as password1 and PASSword1. (Those are terrible passwords anyway, but the lack of case sensitivity makes them much, much worse.)

We were tipped off to this by a reader (thanks Mark!), and a quick test with my own NetBank account, which I always thought had a case-sensitive password, confirms that it doesn't care whether I use all caps, all lower-case or a mix of both.

A quick glance at the bank's own advisory page on passwords is further evidence, since the page doesn't make any reference using upper and lower case. It does mention most other elements of a secure password — a hard-to-guess phrase, a mixture of letters, numbers and punctuation, not using dictionary words and not sharing it — but that one is missing.

We've contacted Commonwealth Bank for comments, and we'll update if we hear anything material. (UPDATE: Here's the bank's response.) In the meantime, if you do have a NetBank account, definitely make sure that it also includes punctuation and numbers, and that it ideally has the full 16-character length. A text-only password on NetBank would be a bad idea in any case, but the fact capitals don't matter makes it a far lousier choice.


    This is nothing new, it's been like this for at least a year when I first found out about it.

    So if it doesn't care if it's upper/lower case does that mean it's being converted to a case then salted (or what ever the encryption is) or are they just storing the passwords in their DB in plain text?

      Most likely (and hopefully) they just lower or upper case the passwords before storing and comparison.

    Bankwest will not allow you to do special characters either. I also found it concerning when I forgot/mistyped my password and get to get it reset, they reset it to my first name (I know it's only temporary and I am prompted to change it upon first login, but still not best practice).

      So what your saying is if I reset your password, I just login using your first name?


    Wespac doesn't seem to care about capitals either, though you have to use an on-screen keyboard to enter in on their main site you can type it in manually on their mobile version.

    BTW, seems eBay is insensitive to password case as well.

    An 8 character case insensitive alphanumeric password allows for 2.8 trillion possible combinations whereas a case sensitive password increases this to 218 trillion combinations. I can't see this making much of a difference when you get locked out after a few incorrect goes.

    Another flaw in cba netbank and they don't care, is that an ex partner of eight years went and got a new sim card for my phone number which was put in her phone to receive encode to change pass word , changed daily limit to max and took 30000. I had change everything pass word email and my address, but not the client number . guess what i lose. bank won't return money even though she admitted what and how she did it .. Bullshit excuses from the bank

Join the discussion!

Trending Stories Right Now