Why does Wells Fargo use broken passwords?Posted 2008-09-19.
Wells Fargo wants to make it easy for you to do your banking online. They don’t want you to deal with little inconveniences like having to enter your password correctly. I’m sure that sometime in the past, you’ve been told it’s good to have both uppercase and lowercase letters in your password. I heard a rumor that Wells Fargo ignores this, tested it, and have confirmed that Wells Fargo will accept a password with any combination of upper and lowercase letters. That is, if you enter “tHis Is mY paSsWoRd” as your password, they will accept “this is my password”.
Wells Fargo’s current password policy is “Your password must be 6 to 14 characters and contain at least one letter and one number.” I have to ask, why no more than 14? Hard drives are pretty cheap these days, I’m sure you could handle storing as many characters as someone reasonably wanted to store. There is no excuse for bad password security these days. Here’s how to do good password security:
- No maximum length (or so high it isn't needed)
- No disallowed characters, if I want spaces, let me have spaces.
- If you want to have "fuzzy" passwords like smashing case or ignoring spaces, make these optional, or at least inform the user at the time of setting the password.
- If you want to require a certain strength, make the calculations holistic -- if I have a 35 character password, it's secure even without a special character.
- If your programmer tells you that any of the above are impossible, fire him and find someone competent.
If anyone knows of a bank that does online security properly, won’t send me junk mail, and won’t throw up an offer to get online statements before letting me get to my account when I already get only online statements, please let me know what bank that is.
Edit: Christopher makes a good point about telephone access being a possible driver for this in his comment. He also mentions the "security questions" problem that Bruce Schneier recently covered.