
Who’s who of bad password practices – banks, airlines and more - bluesmoon
http://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html
======
lelele
Actually, having no "<https://> into the browser address bar does not mean
your password is being sent unencrypted. The password could be into an
"<https://> form. I discovered this when I tried registering an online bank
account and was stunned at not seeing "<https://>. A right-click on the form,
however, showed the form _was_ encrypted, just like a note on such form said.

I'm still convinced that this is bad UI, however.

To tell you all the story, once I gave up subscribing to such online bank and
switched to another one, which had proper security measures in place when
dealing with passwords during registration, then the latter immediately sent
me a confirmation mail with my credentials! Damage done already.

EDIT: Moreover, having a weak password isn't that a big deal _provided there
is a maximum attempts count_. For instance, my online account password isn't
that strong, but after three failed attempts, they lock your account.

~~~
bluesmoon
If you read the entire article, he actually covers this point. In short,
without SSL on the login page, you're susceptible to DNS poisoning attacks
(think logging in to your airline's frequent flier program from an airport's
free wifi). Secondly, he shows that most of the sites don't even submit to an
SSL URL.

------
Locke1689
As I said in a previous conversation with tptacek, I support OpenID-only
mostly because I think some developers strain their intelligence making toast.
These examples don't exactly disillusion me. The only case where I can see
that security would be a legitimately difficult thing to add on would be some
of the banks (which may have to interface with ancient authentication systems
which can't support a secure password).

~~~
bluesmoon
My bank in India has multiple passwords for different kinds of access. I have
one password to get web access, a pin number to get phone/ATM access (since
most phones don't have full keyboards) and a third password to actually
transfer money from my web account. A session timeout is 5 minutes of
inactivity and if you use the back button, your session is invalidated. It's
annoying.

