Context is that I had to register for a lot of accounts recently and some of the rules really make no sense.
Not name-and-shaming, but the best one I’ve seen recently is I might have accidentally performed an XSS attack on a career portal using a 40-digit randomly generated password…
Extremely limited password length. I think it was around 6 or 8 characters. Exactly! So every password was the same length.
No other requirements. The best part? It was a bank. But not a customer facing service.
My bank had a limit of six characters, for the customer facing login. Oops.
Westpac?
Yes 🤭
Haha knew it. Redic parameters
Not sure but I think Schwab did it too.
Banks are amazingly bad at digital security. I once was in a bank (where my wife had an account) where they used first generation wireless keyboards. The ones that did not encrypt anything and could be received to a distance of up to 10m, more if you had a better antenna. I told them about the security issues, but they did not understand. I went to the newspaper agent and bought the newest edition of a computer magazine that had detailed descriptions of how to eavesdrop on those keyboards, returned to the bank, and handed them the article. Which featured exactly their keyboard model as the title photo. I told them “If you don’t understand this, it’s fine, but then give it to the person responsible for your IT and security, they should know how to deal with this.”
Next time we were there, they still had the insecure keyboards. Yes, the IT department had told them that they should replace them with wired ones, but they rejected it, because the wireless ones were sooo convenient. Our next move was to close my wifes’ account there.