

My Bank is a Security Vulnerability - hodgesmr
http://matthodges.com/2012/06/my-bank-is-a-security-vulnerability/

======
onedognight
I suspect not. Your bank unlike some random website likely salts their
passwords, will disable your account after a few failed attempts, and will ban
IPs after a few failed attempts spread across accounts, tracks who you've sent
and received money from so they can reverse transactions that are fraudulent,
and artificially rate limits the whole process so that it can't get out of
hand too quickly.

The OP (ostensibly) using the same password at their bank and at LinkedIn
however _is_ a security vulnerability.

------
mgkimsal
Unfortunately, nothing all that new:

[http://michaelkimsal.com/blog/mind-blowing-security-
practice...](http://michaelkimsal.com/blog/mind-blowing-security-practice/)

IMG -> [http://michaelkimsal.com/blog/wp-
content/uploads/2011/06/Scr...](http://michaelkimsal.com/blog/wp-
content/uploads/2011/06/Screen-shot-2011-04-06-at-6.34.33-PM.png)

------
jimrandomh
The author has completely misunderstood the problem. The problem is not using
passwords that are too short. The problem is sharing passwords between sites.
12 characters is plenty, but no password length will protect you if you use
the same password everywhere.

Also, your bank is not the most important password you have. That would be
your email, which is used to reset all other passwords.

~~~
hodgesmr
As the author, allow me to address this.

I agree with your statement that sharing passwords between sites is a bad
idea. And I don't do it. But I would assert that longer passwords of wider
character sets will be harder to crack if a database is compromised--as was
the case with LinkedIn. If my password is 8 characters, alphanumeric, it
doesn't matter if it's original to that site. If there's a compromise, I'm not
going to be in a good place.

Also, my bank doesn't allow for password resets via email. But I would agree
that my email account is at the top as well. Fortunately, Google is much
smarter about their password rules.

