Commonwealth Bank Says Case-Insensitive Passwords Don't Matter

We reported earlier today that the Commonwealth Bank's NetBank service, somewhat remarkably, doesn't distinguish between capital letters and lower-case in passwords. We've just received an official statement from the bank on this issue, which boils down to: the bank believes its security systems are so effective that the reduction in security by ignoring case doesn't matter.

Here's the statement from the bank:

We have multiple layers of security to protect NetBank customers, including the requirement for complex passwords. The password requirements make it impractical for someone to try and guess a customer’s password, regardless of case sensitivity. In addition, our password strength indicator assists customers in choosing a strong password.

We have other security measures in place to protect customers, including two-factor authentication and extensive monitoring to identify malicious or fraudulent activity. NetBank customers are also covered by our 100% security guarantee, which means customers are covered for any loss should someone make an unauthorised transaction on their account using NetBank.

There are two clear objections to this statement. Firstly, while the other measures might reduce the risk of a password being hacked, not paying attention to case does make passwords easier to crack by a demonstrable order of magnitude. Why deliberately increase the level of risk?

More broadly, this kind of approach encourages poor password behaviour. It's hard enough to get people to follow good password practice, but banking is one of the areas where the risks of unauthorised access are obvious to everyone. It would be great to see the Commonwealth Bank take up the can-do attitude it keeps promoting in its current advertisements and say "We CAN help educate consumers about more secure passwords", but it evidently isn't going to happen.


Comments

    I think, that my only response here is simply >SIGH<

    Does the password strength indicator correctly show that a mix of upper and lowercase makes no difference? I don't have a CBA account to try myself, but am very curious...

      Nope.

      The strength rating it gives seams to be somewhat arbitrary and based roughly on the number of different characters you have and the length of your password (a 10 length password with 2 specials, 2 numbers and some characters scored 'Strong' which seems to be the highest rating)

    You can't sit there and brute-force a Netbank login. After a small number of failed attempts (possibly 3) the online account is disabled and can no longer be used until you phone up CBA customer support, prove who you are, and they re-enable your account and reset your password.

    In this aspect case really does not matter when you only get 3 attempts at a password.

      The problem is netbank allowing people to use their existing weak passwords, as most people use the same passwords for everything. Find out someones Facebook password, and it is probably their netbank password. Their netbank client number may then be remembered by the website or the browsers autofill history.

        And how, pray tell, are the bank supposed to know you used the same password for Facebook?
        I don't recall them asking me where else I used the password last time I changed it.

        In any event, that is completely irrelevant to case sensitivity. You could have a ridiculous 256-character password full of lower, upper, specials & numbers, and if someone found it out, you're just as hosed as if you used "PASSWORD"

      +1 for Mark's comment. Also, most successful hacks use database dumps. If you steal the contents of the netbank login database, you can either brute force the passwords (if they are encrypted) or just log in (if they're stored in plaintext, which may be the case for the Commonwealth Bank)

      Never assume that you have enough security. It would cost more to recover stolen funds than it would be to install an extra server to process login requests with stronger passwords

    I know it's a bad look for the bank, but are they right - would case sensitivity make an appreciable difference? Do statistics on password strength based on brute force attacks really mean anything when your account is locked after a couple of incorrect logins?

    Sure, but I don't really know if that is a valid excuse for a poor password policy.

    That's a load of BS regarding passord strength, etc..

    My password is only 6 characters, with 2 digits. I don't consider it strong). but as someone posted, you only get 3 attempts so chance of a successful brute force hack is better than winning the jackpot.

      Most people use the same weak passwords for everything. If someone managed to find out your Facebook password, and you had your client number remembered on netbank.com.au, then they would most likely have access to your account.

        The "3 attempts and you're locked out" is still a pretty half-assed approach, because it's the perfect tool for someone to instigate a denial of service by attempting an attack on all accounts. And, hey, they might even get lucky on a few accounts because someone used "password1" or "Monday1"...

        A better approach is stronger passwords PLUS a timeout on locked accounts. eg. 3 wrong attempts and you have to wait an hour. At 3 attempts per hour on a strong password, it could take centuries to guess, but without the risk of denying service to the legitimate users...

          Say someone did happen to stumble upon your creds and got into your account because you're stupid enough to use the same passwords for everything and you save your ID - to transfer money to an account you've never transferred to previously you still need to authenticate with netcode.
          This doesnt mean someone couldnt do anything malicious with your money if they happened to get into your account, but I would think the main objective would be to transfer the money somewhere where they can access it...which they wouldn't be able to achieve without also having access to either the users mobile phone OR security token.

      Agreed. And I'll bet that CBA deliberately took this path because of so many silly-billies (original word removed) kept maxing our their 3-attempts simply because they had caps lock on or forgot they had a capital in there somewhere... Don't forget that noobs use internet banking too.

    How about the "Waagh, I can't log in because my CAPS LOCK light is on" crowd?

      These are the types of people who shouldn't even use internet banking. They can call up and complain about not being able to login, and hopefully be educated, when they learn of their own stupidity.

      And therein lies the most probable reason for CommBank's decision. It'll be to help reduce Help Desk costs. In help desks I've managed in the past, caps-lock-based support calls constituted a not-insignificant percentage of calls (and therefore centre costs). Throw in an added incentive for CommBank being that the non-aware customer doesn't get frustrated with the slightly added complexity of having to use the [Shift] key when typing a password (especially on mobile devices), which for the customer psychologically translates into "CommBank's system is much easier to use than {ABC}'s...".

    I find their attitude to be somewhat worrying. There is no such thing as too much security. It wouldn't be very difficult for them to start enforcing stronger passwords either. A strong password has a combination of uppercase letters, lowercase letters and numbers. I would say that 8 characters is a good length, and the trick is to try and avoid basing your password off of a dictionary word. Criminals aren't stupid, and know that people spell words like password as [email protected]$$word.

      Agreed. Not having case-sensitive passwords is pretty unusual -- would love to know why they took such a non-standard approach to this (cheaper, perhaps??).

        Generally speaking you have MORE work to do for case insensitivity than for case sensitivity.

        Being case insensitive in code requires you to (normally) lowercase or uppercase the entire string prior to storage and comparison.

    You think this is bad? My Westpac login forces a 6 character password length (no more, no less) AND it doesn't have 2-factor authentication.

      Yavuz, it's actually much worse than that. Westpac also doesn't allow non-alphanumeric characters. No [email protected]#$%^& etc. Their passwords are 6 characters A-Z and 0-9.

      My Credit Union account password is 6 numbers long. No more, no less. Entered off a graphical keypad at login time.

    I swear... if I have to start pressing shift and what not because of your fear-mongering I will be really pissed... grrrr

      You can still create a much less secure, entirely lower case password if you want to.... But those of us that want the extra security due to case sensitivity should be able to get it.

      Besides, is it really that hard to type out a capital letter?

      I suppose you want to be able to have short passwords using dictionary words also?

    http://xkcd.com/936/

      So you're saying I should change all my passwords to correct horse battery staple?

      You should be the one writing the articles. I'm shocked that the author didn't even mention XKCD. This is Gizmodo though.

      Also, CBA is right. Case doesn't matter. If they'll compensate you for any unauthorized transactions, who cares? Their other security measures are sufficient anyway.

    Just checked, St. George isn't case sensitive either.

    What worries me is that if the password checking is not case sensitive, it implies that passwords are being stored unencrypted in some database.

    Really? Unencrypted passwords CommBank? Hope you've got some seriously hack-proof layers around your data structures!

      md5(salt(upper(enteredpassword))

      What implies they're unencrypted?

      As Jay pointed out, it's trivially easy to convert to uppercase (or lower case) prior to hashing.

    Westpac is WAY worse. 6 characters only, no caps either.

    It really doesn't matter. Encryption/Probability that university teaches you will show that the difference is negligible e.g. 2 billion years vs 200 billion years.. Fyi blizzard does the same thing

    Where brute-forcing has been effectively defended against, password complexity becomes significantly less relevant. It is usually no longer worth an attacker's time. Exponentially easier to install a keylogger/trojan or phish. So this decision has little impact on attackers. But for a large segment of less technically proficient customers, this decision improves the experience.

    I would imagine this check has been done:

    (Cost of performing authenticated password resets + cost of maintaining support for customers who might otherwise avoid online banking as a hassle) > (cost of insuring accounts hacked via correctly guessing the password)

    Whether it's 'necessary' or not I think it's good to have it a) for good look for the bank and good practice. Having an indicator "Your caps lock is on" would solve many problems for the illiterate. Not so hard.

    But I mean, okay, requirements: a lower case, upper case, symbol and number and no less than 8 characters: "Password1."

    Say what you will about added security but the 'dumb' passwords are always going to be found no matte the restrictions. Time we start looking past passwords?

    Simply put, you can't 'guess' the password, case sensitive or not. Article is a moot point.

    also going with their new advertising campaign , you can't use the letter T ...

    With regards to the password database, their system should, ideally, use a one-way cryptographic hash function that is salted. If the system doesn't care about case, how are submitted passwords being processed both when they are initially set by the user and when they are submitted upon attempting to login? Would the system store hashes for every possible case-combination of your password? I don't think so. So then, are passwords being stored in a less secure manner than simple password hashing? Possibly.

    I would not at all be surprised if they store passwords in plain text or if they encrypt (not hash) them in a way that they are able to decrypt them with a key (which could even be kept on the same server as the database).

    Maybe there's something missing, but I'm not particularly impressed with either the apparently lax password processing system employed by the CBA nor with their response to questions regarding it's level of security.

    PS: To those implying that brute force attacks have been effectively prevented due to the CBA's limited number of allowed login attempts until you are locked out; what happens when an unauthorised person retrieves the password database from the CBA servers? What security is present to prevent the act of brute forcing once some has the database themselves? The answer is none. Thus, other measures (read: salted password hashing) are required to better secure the information.

    They wouldn't store every case combination of a password. Before the password is initially salted and hashed, it would be converted to all upper or lower case (it's not even an extra line of code, really...). Then on subsequent logins the same operation would be performed before the comparison is made.

    If the systems are compromised such that the attackers are able to get a hold of paired user ids and password hashes to brute-force/rainbow-table against, a good salt should help protect; but the bank has larger issues if their system is vulnerable enough to let that happen.

    Still, a hacker is going to get best ROI through phishing scams or compromising your local pc with a trojan/keylogger; that is still the weakest link in the security chain. Some form of 2-factor authentication is the best way to guard against this, and it is in play. If the bank were to find the incidence of successful hacks increasing beyond acceptable levels to insure/compensate against, I reckon they'd improve their implementation of 2-factor before they'd worry about password complexity.

    Sure, CBA's password policy may be lack-lustre at best, but the multi layer protection statement has a point. My wife's netbank account was attempting to be hacked, after 3 attempts and obviously someone trying to use the password reset feature, she received a text on her phone..

    We were both watching a movie, no one else knew her details, so clearly it wasn't her. One call to CBA 24 hour support and the logon was disabled. Better still, they WOULDN'T reset it until she went into a branch and reset it there with proof of ID..and a new password and secret questions, and SMS authentication. Impossible unless your identity was stolen along with your mobile.

    Enough to rattle the nerves and get me to set up credit report alerts at least.. But proof if there's an issue, they get on it pretty quickly with no fuss. Surprising from a bank!

    You know I can hack any business account with any bank, I found a loop hole in a system run by our fantastic goverment, it takes a little resurch in to your target you can empty their accounts and be gone befor anyone will realise what happened, and yes it's been tested and proven to work

Join the discussion!

Trending Stories Right Now