

CapitalOne has the most secure password system - TheRealPomax
https://www.capitaloneonline.co.uk/CapitalOne_Consumer/Login.do

======
coreyp_1
Ouch! This means that they are storing your original password in plaintext
somewhere, and that is definitely _NOT_ best practices!

~~~
lappa
They may be storing the three characters as a hash separately, not that that
is much better.

~~~
bitsutah
So I just need a pre-hashed table of all 80 possible single chars for a lookup
table?

That is worse than a hash of SSNs.

~~~
lappa
You check 3 characters, not 1, but like I said, 80^3 still isn't good.

------
Splendor
I think it's important to call attention to these issues, but can we change
the sarcastic title?

~~~
TheRealPomax
I see no reason to? This is a UK bank, not observing security, UK levels of
sarcasm are entirely in order.

------
jdefelice
I remember awhile back I created a CapitalOne account and I put in a long
password which it excepted, when I tried to login it wouldn't work, so I reset
my password very carefully typing it. The password reset was successful, I
tried to login and nope, didn't work. Third time reset I realised they have a
max password length and were truncating my password as my original password
was past their max length but would except, truncate without telling me and
store it. This was the CapitalOne in the US.

~~~
kitchen
I use 1password and run into this problem so frequently it makes me rage.

~~~
ggvvnn
I usually use the DOM inspector to check for a maxlength, but really wish I
didn't have to do that. >.<

------
brechmos
That is going to make lastpass hard to use for the site.

------
willglynn
Also, they don't support any kind of two-factor authentication, and have no
plans to add that:
[https://twitter.com/AskCapitalOne/status/504679257239719938](https://twitter.com/AskCapitalOne/status/504679257239719938)

~~~
toromei
Maybe they think 'tick the box' and 'enter character N from your password' are
additional factors. :p

------
sprkyco
It also appends some garbage to the username, validates it and then proceeds
with the random char grab....weird

    
    
      var results = document.cookie.match ( '(^|;) ?' +    "Username" + '=([^;]*)(;|$)' );

~~~
cerocool
Some sort of bs client-side salt?

------
bjacokes
Fidelity's phone system lets you authenticate by typing your password on the
phone keypad. On the plus side, this is probably the only time I've understood
the technical reason behind a limited password alphabet.

------
LeoPanthera
In my experience, most UK banks do the same thing. Their excuse is that it
prevents keylogger attacks. I do not know enough to say whether it's an
acceptable trade-off or not.

~~~
adrianpike
Seeing as I've been the victim of a half dozen or so password leaks, one
credit card clone, and not a single keylogger attack, I'd probably err on the
side of secure password storage, but that's just me.

------
krallja
HSBC has this: single-letters from your "secret word", in addition to an
actual full passphrase.

------
bcg1
Is there another step after this one? Or does this get you in?

------
BenTheElder
Why would anyone think this was a good idea?

~~~
toromei
This is the definition of 'security theater': take off your shoes, spin
around, hop on one foot. Many consumers mistake having to jump through hoops
over a flaming pile of poo for 'more secure'. So it goes. :(

Edit: I'm a U.S. CapitalOne customer, and I just know that if they do that to
my login, I will close my account faster than you can say, “Warning: do not
tick”. Good security doesn't need to be a hassle. And I'm happy to find
another company that actually understands that.

~~~
BenTheElder
Honestly don't all of the US banking and credit card companies do this sort of
'security theater'? While this seems pretty absurd, I'm not aware of any that
don't have mediocore to poor password practices.

~~~
toromei
Simple.com is pretty awesome. I'm sure there are others as well, but yes --
they are in the minority. :/

