Security Basics
Re: Bank Of Montreal Online Security Oct 29 2012 04:26PM
hankveins gmail com (1 replies)
Re: Bank Of Montreal Online Security Oct 30 2012 02:50PM
Davin Enigl (davinenigl comcast net)
" . . .Bank Of Montreal online security is shockingly lax. First of all
regardless of your password length, it only cares about the first six
characters. Even more insane is it doesn't matter what case of the
letters are, it will allow you access all the same."

This is "old news".

1. This is not a secret. All (yes all) banks using old UNIX systems do
this. It's the normal limitations of those UNIX systems. Although I
admit most use 8 characters, which is better than 6. There is also
usually a three-password error lock out to discourage guessing -- a
saving grace. But yes, there is not case-sensitivity and passwords are
truncated to 6-9 characters. Example: Wells Fargo also does the same
thing the last I checked.

2. I'm surprised people on this list do not know this.

3. Bank password procedures *should* not be a secret. They should be
published by the bank. This also applies to every on-line sysetm that
use passwords.

4. Fix the system if you think it needs fixing.

5. Hiding flaws ensures it will *not* be fixed any time soon. I am glad
someone is disclosing this, but experienced security people already know
this.

6. Delay in fixing flaws virtually ensures that hackers will find it
first. Look at the U.S. government: 70+ agencies has data loss. How much
was encrypted? O%.

7. How about hashing passwords with user-specific-salt and then again
with corporate-server salt? How many do this? It's supposed to be Best
Practice, yet . . . Example: IEEE didn't (did you see their breach)- yet
they CLAIMED they were observing best practice -- Wrong!

--Davin Enigl

On 10/29/2012 09:26 AM, hankveins (at) gmail (dot) com [email concealed] wrote:
> I take it that your money is not invested with the bank. Perhaps you might have thought about publishing this in an open forum if it was?

------------------------------------------------------------------------

Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus