

'Verified by Visa' Forces Users to Select Weak Passwords - mrb
http://blog.zorinaq.com/?e=54

======
corin_
Unless I'm missing some technical trick, passwords are actually stored in
plain text, not hashed at all. My reason for this assumption is that in some
cases (I think it depends on card provider), instead of typing in the
password, you just type in 3 specified characters from it (e.g. "please enter
the 3rd, 5th and 6th characters"), certainly this is the case for my Visa
debit cards from Barclays.

Is there any way they could verify a single character against a hash, or am I
right in thinking it has to be stored plain text?

So many websites have annoyingly dumb password rules, just yesterday I was
told that my "use this on a bunch of sites I don't really care about" password
(which is long and contains upper/lower/numeric/special characters) couldn't
be used because it had "recurring letters", i.e. the same letter was next to
itself in one occasion. Therefore my password for that site is now
"fuckingcunts", in my childish hope that some day that company will ask for my
password over the phone.

~~~
palish
If it were possible to verify a single character in a hash, then you could
attack a hash by verifying the first character, then the second character,
etc, until it results in the hash.

So nope. Not possible.

~~~
corin_
Well for example, the suggestion from colinhowe.

------
mquander
I always get double freaked out when I see requirements like that, because I
assume that the "special characters" restriction is required for some
homebrewed crap rot13-style idea they have for obfuscating the passwords
instead of hashing them. I literally can't imagine how such a restriction
would arise unless they have a bigger problem.

~~~
djcapelis
I always assume there's old mainframe code involved whenever I see a
requirement that says "less than 8"

Especially in the financial sector.

Mainframes are weird. They are still used in a lot of places and don't play by
sensible rules. People still run these systems with 24x7 operations staff, as
in, there is someone sitting in front of the mainframe console at all times.

It is a crazy world out there and a lot of people still use these systems to
do terrifyingly important things.

~~~
thaumaturgy
Mainframes are still in use partly because (until perhaps very recently), they
are bar-none when it comes to high-availability and disaster recovery.

I did some work in COBOL on a Unisys mainframe back in the late 90s, and I'm
still impressed by that thing. You could walk over, pull the plug on it while
it was in the middle of running a payroll job, a finance job, and half a dozen
other things. Plug it back in, wait a few minutes, and it would pick up right
where it left off. No data corruption, no other hassles.

Migrating away from that thing was often discussed, but it would have been a
tremendous hassle. For one, there was no simple way to migrate the huge
volumes of data off of it; for another, even if you could, decoding it would
have been a neat challenge. Then there was the matter of all the years of
business logic that, while not pretty, worked with very few problems.

...and this was just for a school district in the East Bay. I can't imagine
what it would look like for a big financial company.

~~~
djcapelis
Mainframes are very much impressive, I've worked with one before. They just
operate very very differently from an "open computing" environment that we're
all used to.

Once you rely on a mainframe the cost of continuing to operate it, while
fairly large, is hilariously less expensive than moving all that code and data
elsewhere. Especially given you will have to test all the code again and most
people don't even know what it all does anymore, much less how to make sure
it's doing it correctly.

------
jrockway
Well, the idea is that your account is irrevocably locked out if you guess the
password wrong 3 times. So the size of the keyspace does not really matter.
The attack on this system is calling Visa and pretending to be you, not
guessing passwords.

Remember: when you are using a credit card, you are spending the bank's money,
not your own. So if the bank doesn't want you to use a long password, it's
their loss when someone compromises their database. You say "that charge was
not authorized" and the bank eats the loss.

This is different than an email or Twitter password, because when someone
compromises your email or Twitter account, the damage to your reputation is
_your_ problem. But credit cards are different: it's not your stuff at stake,
so you shouldn't really care about how they do security. Their goal is to
reduce fraud without stopping you from using your card.

~~~
mrb
Online bruteforcing attacks basically don't matter.

I am guessing you did not read the end of my post giving 3 other reasons why
the keyspace size does matter (no. 1 being for PCI DSS compliance).

~~~
tzs
Does PCI apply to the credit card associations?

~~~
bigiain
That's a really good question... I wonder?

------
stanmancan
My banks password system is terrible. It must be between 6-8 characters long,
and no special characters allowed. When I originally created my password, I
didn't read the rules and typed one of my "usual" ones in. It consisted of a
dictionary word, followed by a series of numbers and special characters.

Because of their inferior UI, I never noticed my password was getting
truncated at 8 characters long, which just so happens to be the length of the
dictionary word. For almost 4 years my banks password was an eight character
dictionary word instead of the 'slightly more secure' 14 character version I
thought I was using all along.

------
mvzink
I'm surprised by the number of financial services I use that have forced me to
use a weak password. It's appalling.

------
stock_toaster
I very much dislike verified by visa.

I would much rather visa allowed generation of single use CC numbers backed by
a user-specified monetary amount, for online shopping. I think discover card
used to do this (not sure if they still do). That always seemed like a better
idea to me.

------
X-Istence
Verified by MasterCard or whatever their program is called has the same
restriction, and it doesn't make any sense. First time I saw the form I called
my bank to verify that I was supposed to be seeing that form and that it was
safe to enter my data.

------
grantjgordon
American Express does the same thing!! My user name is actually twice as long
as my password by virtue of their restriction.... It seems like they're
actually hoping for a PR disaster.

------
Schmidt
I have to sign my purchases with a OTP generated by a small card reader and my
card (+ PIN for the card)...

------
MortenK
That's quite odd. My Verified by Visa password is significantly longer than 8
letters.

