

My bank forces me to use 6 digits as a password for online services - jfoucher

I just told labanquepostale.fr about this issue via their internal messaging system, and they justify it by saying that I also have to input a 10 character identifier, and that their &quot;virtual keyboard&quot; changes the arrangement of the digits at each logon.<p>How can this be secure? If it&#x27;s not, what would be good arguments to get them to think about changing it?
======
Someone1234
They often do stuff like this so it is easier to verify a customer via a phone
system (e.g. "enter your pin now!").

But, yes, it is bad practice and lazy. They could trivially have a "phone pin"
or just verify security questions over the phone like almost every other bank
on the planet.

As nodata quite correctly pointed out, it could be made secure by locking out
your account after a very short number of tries (e.g. 5). Then requiring
telephone or email verification to re-enable it. That would stop brute force,
dictionary, and distributed versions of the same from effectively working no
matter how small the password space is.

In my experience companies who enforce things like a 6 character password are
not the kind of who will sit there and calculate out the attempts/minute and
"time to break (TTB)."

Plus the thing they said about their virtual keyboard shows utter ignorance
and incompetence. Professional keyloggers don't literally log your keys! They
hook into the network stack or browser and literally grab completed POST
HTTP/s requests, so a virtual keyboard adds nothing at all security wise (and
arguably makes it easier for someone to shoulder surf you, even if that threat
is highly overblown and rarely exists).

So, yeah... Good luck convincing them. Whoever works there and making security
decisions clearly is incompetent and it will likely take internal rather than
external pressure for that to change.

~~~
Dublum
It makes it more secure, but not fully. If the password hashes ever got dumped
via other means, the effort required to brute force those hashes (even salted)
would still be far less than you want it to be.

------
nodata
It depends on how quickly they lock your account if the wrong password is
entered.

If they lock it after three goes, how is a 6 digit password less secure than a
100 character password?

~~~
wikwocket
6 digits are less secure than 100 characters because when asked to generate a
6 digit password, many _many_ people will pick their birthdate, wedding
anniversary, or childrens' birthdate.

With an alphanumeric password, many people will still pick a variation of
"password12345" or "letmein!!", but at least then their banking password is
not literally posted on their public Facebook page. :)

------
milanstosic
Well, it might be secure from their point of view but from user's (yours)
definitely too anoying. I'm sure that it's not easy to update/migrate to new
security system but some solutions are just crying to be updated.

Btw, I found this tweet that describes bank's security measures :)-
[https://twitter.com/webchaeschtli/status/462584313209696258](https://twitter.com/webchaeschtli/status/462584313209696258)

------
opless
IME they just ignore the public

