We reported earlier today that the Commonwealth Bank's NetBank service, somewhat remarkably, doesn't distinguish between capital letters and lower-case in passwords. We've just received an official statement from the bank on this issue, which boils down to: the bank believes its security systems are so effective that the reduction in security by ignoring case doesn't matter.
Here's the statement from the bank:
We have multiple layers of security to protect NetBank customers, including the requirement for complex passwords. The password requirements make it impractical for someone to try and guess a customer’s password, regardless of case sensitivity. In addition, our password strength indicator assists customers in choosing a strong password.
We have other security measures in place to protect customers, including two-factor authentication and extensive monitoring to identify malicious or fraudulent activity. NetBank customers are also covered by our 100% security guarantee, which means customers are covered for any loss should someone make an unauthorised transaction on their account using NetBank.
There are two clear objections to this statement. Firstly, while the other measures might reduce the risk of a password being hacked, not paying attention to case does make passwords easier to crack by a demonstrable order of magnitude. Why deliberately increase the level of risk?
More broadly, this kind of approach encourages poor password behaviour. It's hard enough to get people to follow good password practice, but banking is one of the areas where the risks of unauthorised access are obvious to everyone. It would be great to see the Commonwealth Bank take up the can-do attitude it keeps promoting in its current advertisements and say "We CAN help educate consumers about more secure passwords", but it evidently isn't going to happen.