Forum Discussion
Better n'th character and m'th character handling. It's bad having to show pwd in big text.
@Chippy_boy Well, my primary bank (and that's also the bank I work for with an IT outsourcer) asks for a 3 digit branch id, 9 digit account number, and a 6 character alphanumeric pin for online banking login. The pin cannot have more than 6 characters. Branch id and account number are not secret. This means my private important account is actually protected by a 6 character alphanumeric password. That's not really security.
The bank also offers a reasonably state of the art secure login with userid and long complex password. Would be the solution, however it's not possible to disable the branch+account+pin login after creating a userid login, so it stays unsecure!
I contacted their online banking support asked for state of the art pin lengths and characters, and for the possibility to disable the insecure pin login. It was declined and said there were some kind of internal measures and checks that will always make my login secure, albeit the short pin.
Actually, this bank has very strict internal security policy for the intranet accounts of their employees for more than 20 years. Personal accounts, state of the art password complexity rules, password length enforcement, and mandatory change every 60 or 90 days. Nothing to complain about.
About Yubikey: this is an additional thing to implement server side and to give customer support for. Since the existing password-only implementation works and is declared secure by corporate and legal auditors, there is no need for the bank to implement anything more. If the law mandate it, yes, but since it doesn't, no. Implementation+support costs money with no visible return, so it's not done. Refunds due to inferior security are probably less than the costs for a better implementation. Banks don't advertise with "we have the best login security". They advertise with their banking products instead.
I stopped thinking about these issues.