Wells Fargo wants to make it easy for you to do your banking online. They don't want you to deal with little inconveniences like having to enter your password correctly. I'm sure that sometime in the past, you've been told it's good to have both uppercase and lowercase letters in your password. I heard a rumor that Wells Fargo ignores this, tested it, and have confirmed that Wells Fargo will accept a password with any combination of upper and lowercase letters. That is, if you enter "tHis Is mY paSsWoRd" as your password, they will accept "this is my password".
Wells Fargo's current password policy is "Your password must be 6 to 14 characters and contain at least one letter and one number." I have to ask, why no more than 14? Hard drives are pretty cheap these days, I'm sure you could handle storing as many characters as someone reasonably wanted to store. There is no excuse for bad password security these days. Here's how to do good password security:
If anyone knows of a bank that does online security properly, won't send me junk mail, and won't throw up an offer to get online statements before letting me get to my account when I already get only online statements, please let me know what bank that is.
Edit: Christopher makes a good point about telephone access being a possible driver for this in his comment. He also mentions the "security questions" problem that Bruce Schneier recently covered.
Wells Fargo's current password policy is "Your password must be 6 to 14 characters and contain at least one letter and one number." I have to ask, why no more than 14? Hard drives are pretty cheap these days, I'm sure you could handle storing as many characters as someone reasonably wanted to store. There is no excuse for bad password security these days. Here's how to do good password security:
- No maximum length (or so high it isn't needed)
- No disallowed characters, if I want spaces, let me have spaces.
- If you want to have "fuzzy" passwords like smashing case or ignoring spaces, make these optional, or at least inform the user at the time of setting the password.
- If you want to require a certain strength, make the calculations holistic -- if I have a 35 character password, it's secure even without a special character.
- If your programmer tells you that any of the above are impossible, fire him and find someone competent.
If anyone knows of a bank that does online security properly, won't send me junk mail, and won't throw up an offer to get online statements before letting me get to my account when I already get only online statements, please let me know what bank that is.
Edit: Christopher makes a good point about telephone access being a possible driver for this in his comment. He also mentions the "security questions" problem that Bruce Schneier recently covered.
They were discussing this on Security Now (again) this week.
A listener did a little research, and found that Chase, Citibank, Vanguard, and others also have case-insensitive passwords.
It turns out the reason for this is telephone banking, where it's problematically inconvenient for many legitimate users to input more than 6 case-insensitive characters.
It turns out that Wells Fargo gives a user 3 only tries at inputting the password before it locks him out, making a brute force attack impractical, even with a 6-character (30-bit) password.
When "locked out", the system requires more info (IIRC an account number, security question) to proceed and reset the password.
They didn't discuss it, but I've noted that on some of my accounts the "security questions" are often the weakest point, being information known to many family members, or easily researched. I've taken to giving incorrect answers to all security questions, instead using what amounts to another password with strength similar to the first password, even though this defeats the purpose of having security questions.