Are there any password managers that can cope with the "pick characters 3, 5 and 11 from your password" security challenges?
Santander has just moved to that, and if you have a secure unique password it's a pain.
<RANT>Santander also require that the password is max 16 chars and alpha-numeric only. Because security, or something. The mere fact that they want me to pick certain characters from it already tells me that the password isn't being stored salted and hashed.
It's a good job their app can use biometric because their website has just become pretty much unusable for me now.</RANT>
On 14/09/18 11:06, Mark Rogers wrote:
Are there any password managers that can cope with the "pick characters 3, 5 and 11 from your password" security challenges?
Santander has just moved to that, and if you have a secure unique password it's a pain.
Dunno but if you find one, let us know! :-) I've used an app that lets you view your password once you've logged (to the app) in so if I can't remember which character is the 7th, you can see it and count.
<RANT>Santander also require that the password is max 16 chars and alpha-numeric only. Because security, or something. The mere fact that they want me to pick certain characters from it already tells me that the password isn't being stored salted and hashed.
It's a good job their app can use biometric because their website has just become pretty much unusable for me now.</RANT>
Makes no sense from an internet banking POV, but from a telephone banking POV, it does. The Teletubbie in the call centre can't see your whole password, so they can't hack your account by pretending to be you; you however can still authenticate yourself.
You're right though, they must store your password in the clear, or in a decrypt-able form in order to be able to do that.
Steve
On 14 September 2018 at 15:13, steve-ALUG@hst.me.uk wrote:
Dunno but if you find one, let us know! :-) I've used an app that lets you view your password once you've logged (to the app) in so if I can't remember which character is the 7th, you can see it and count.
I currently use LastPass, largely because it does a good job of synchronising across devices. It'll let me view my password (upon entering my master password) but counting through the letters manually is error-prone when you have a long gibberish password. (And I certainly won't be remembering my passwords!)
Makes no sense from an internet banking POV, but from a telephone banking POV, it does.
Agreed but there's no reason for the two to be the same. A leak of password data that was only useful to people ringing the call centres would be a lot harder to exploit than passwords that can be used online. It also means that someone somewhere at Santander can view my password in clear text if they choose to, albeit that it's probably not someone in a call centre.
Mark