this post was submitted on 18 Aug 2024
846 points (99.0% liked)

Cybersecurity - Memes

1959 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 1 year ago
MODERATORS
846
submitted 2 months ago* (last edited 2 months ago) by [email protected] to c/[email protected]
 

Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 2 months ago (1 children)

Crazy that there are still banks that use a username and password for login.

[–] [email protected] 1 points 2 months ago (1 children)

What else should it be, aside from additional 2FA?

[–] [email protected] 1 points 2 months ago* (last edited 2 months ago)

In my country all banks just use, instead of a username, the IBAN plus bank card serial number and they give their clients a hardware token that generates one time passwords. The client inserts their bank card into the hardware token then enter their PIN and gets the OTP to login. And when the client wants to make a transfer the bank generates a code that the client has to enter into the hardware token after entering their PIN to generate an OTP which the client uses to confirm the transfer. And if the client has the bank app installed on their phone the bank website generates a QR code which the client can scan with the app and then the client can login with their biometrics. Of course the client has to activate the app with the hardware token first.

This isn’t that much different from a username, password plus 2FA. But this way it takes out the weakness that is the client. This prevents the client from using an easy password or use a username and password that they use everywhere else. Old people don’t write down their password anywhere since there is no password. But they know their PIN by heart since they use it all their life. And it doesn’t rely on apps or SMS for 2FA. So people without a smartphone or even a mobile phone can still use it. Keyloggers are useless since the PIN is entered on the hardware token. Sure a sophisticated con is still possible but thefts like these https://appleinsider.com/articles/23/12/20/how-a-brazen-passcode-thief-used-stolen-iphones-to-rob-2-million where the thieves can drain a bank account if they just steal the phone and phone’s passcode and reset the 2FA are impossible.

The biggest weakness is ofcourse that if someone knows your PIN and obtains your bank card they can enter your bank account online. So the same security measure still applies with this that you should open a savings account at a different bank than your checking account.