If I'm asked for four characters from a password I probably have around a 1 in 64^4 chance of guessing it correctly, as opposed to a 1 in 64^18 chance of guessing the actually password. Now if I'm trying to access bank accounts (and remember I'm not necessarily interested in accessing your specific account, but just gaining access to some), having a 1 in 64^4 chance of success from randomly guessing a password is a lot better than 1 in 64^19 (remember I don't know how long the password on an account is). At worst, if I am after a specific account, the give me four characters from the password basically boils it down into a Wordle-like puzzle, less if I can capture or force multiple logins… (If you wondering why I chose 64 as an estimate, it's because there's 26 letters, both upper and lower case, 10 digits and an assortment of valid symbols.)A few months ago, my bank changed its the first part of their two-factor authentication from asking for four characters from my passcode string to asking for the whole string. When it first happened I refused, printed out the page, and went to the bank to warn them of what was obviously a scam. "oh, no it's not, we've changed it to ask for all 18 characters to make it more secure for smartphone users with password managers."
I'm not sure how having all 18 characters of my passphrase passing through my keyboard buffer, web browser, and internet connection is any more secure than four of those 18 characters which won't be asked for again for a long time. All 18 characters are guarranteed to be asked for the very next time there is an attempt to log in.
The banks are basing their decisions on an analysis of the specific threat model to their service, and the network transport is not part of that. TLS1.3 which all banks will use by now is going to keep the data secure in transit. There's no security benefit from not transmitting the full password over the network anymore, so we can effectively ignore that.
Instead, a far bigger source of problems will be simply the account credentials are compromised, either by obtaining the username or password, or by obtaining the session cookie out of the browser itself and using it elsewhere.
Passwords can be obtained in a variety of ways -- keyloggers, shoulder surfing or just from the fact that people reuse the same password on multiple accounts (which is why stolen password lists are so valuable -- it's quite likely that there is at least one user whose stardot username and password is the same as their bank login details). One way to mitigate stolen passwords is to use long, random passwords on each site, so the compromise of one site does not affect others.
Of course, humans don't like remembering long random sequences which is why password managers are so useful and important. Not only can they generate and store long unique passwords, they can also present them directly without them being typed in (killing off the threat of keyloggers) or going via the clipboard (killing off malware from copying it from there) and will often guard access to them behind biometrics (face or touch -- often being able to tell if the presenting individual is alive) which leaves the threat down at whether the session cookies can be extracted, transmitted and reused before they expire.
Which, as sweh explained earlier, is why banks prefer mobile apps over the web (apart from the obvious UI benefits!).
It turns out that a lot of the password advice (pick something you can remember, and don't write it down) that made sense when passwords were being used to control access to machines and resources in a controlled environment (school, militiary base, office etc.) don't apply when being used to protect always-on, networked resources like banks on the internet (in fact the exact opposite is almost the case).
Steve
Statistics: Posted by SteveBagley — Tue Mar 05, 2024 11:04 am