Security Basics mailing list archives

RE: Bank Of Montreal Online Security

From: Dave Kleiman <dave () davekleiman com>
Date: Wed, 31 Oct 2012 09:26:30 -0500

Alexander,

     >>> Which password length is more secure - that is a question.<<<

If you used the above statement, just as you typed it, as your password (passphrase), would it not both much stronger 
than 6 characters and very easy to remember?


Respectfully,

Dave Kleiman - http://www.ComputerForensicsLLC.com - http://www.computerforensicsexpertwitnesses.com

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801 


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Alexander A. Kelner
Sent: Monday, October 29, 2012 16:20
To: security-basics () securityfocus com
Subject: RE: Bank Of Montreal Online Security

From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of mrtolton () gmail com
Sent: Friday, October 26, 2012 2:08 PM
To: security-basics () securityfocus com
Subject: Bank Of Montreal Online Security

It's come to my attention that the Bank Of Montreal online security is 
shockingly lax. First of all regardless of your password length, it 
only cares about the first six characters. Even more insane is it 
doesn't matter what case of the letters are, it will allow you access all the same.

On top of this, theres a bug in the iPhone app which will not allow 
you to unsave your card number.

Its a good thing they guarantee 100% of your money against fraudulent 
transfers, because its only a matter of time.


Hello.

IMHO "shockingly laxity" is not as obvious as it may appear at first approach.

Six chars give us about (26+10)^6=2 billions of possible passwords.
If their server is smart enough to allow as low as 1 authentication attempt per second for the same account then you 
will spend some hundreds years trying to brute force it.

BUT! The short password can be easy memorized, when the long password must be recorded somewhere (sometimes in very 
inappropriate place), and then may be stolen. Which password length is more secure - that is a question.

Current thread:

Bank Of Montreal Online Security mrtolton (Oct 29)
- RE: Bank Of Montreal Online Security Trey Keifer (Oct 29)
  - RE: Bank Of Montreal Online Security Alexander A. Kelner (Oct 30)
    - RE: Bank Of Montreal Online Security Dave Kleiman (Oct 31)
    - RE: Bank Of Montreal Online Security Alexander A. Kelner (Oct 31)
- <Possible follow-ups>
- Re: Bank Of Montreal Online Security hankveins (Oct 30)
  - Re: Bank Of Montreal Online Security Davin Enigl (Oct 30)
- Re: Bank Of Montreal Online Security Alexander Meesters (Oct 30)
  - Re: Bank Of Montreal Online Security Davin Enigl (Oct 30)
  - Re: Bank Of Montreal Online Security Davin Enigl (Oct 30)
    - RE: Bank Of Montreal Online Security Scott Herbert (Oct 31)