Does anyone know of a UK bank that doesn't do this dumb thing where they ask you to enter certain characters of your password?
@stringlytyped HSBC asks for the full password and one-time code.
@mansr Oh, cool, thanks. How is their online banking in other respects?
@stringlytyped It lets you move money around and see your transaction history, just like every other bank I've used.
@mansr Fair enough. 😂
@stringlytyped pardonfuck? Mul… multiple banks do this?!
@darrenpmeyer Apparently it's sort of standard here? I guess as an attempt to prevent phishing?
@stringlytyped and I thought the US banks doing the "security image" thing (and calling it two-factor 🙄) was nuts…
@darrenpmeyer Oh, they're still doing the security image thing here. At least Bank of America and friends got rid of it eventually.
@stringlytyped U.K. Bank Ltd. “Yeah, we store your password using reversible encryption.”
@djmoch They also ask you for part of your password when you call in, which is just SO GREAT
@djmoch Yeah I remember that! People were super upset after their social media person got sassy and said asking passwords over the phone is fine because they have amazing security. 🙄
@stringlytyped I've seen a software company make you set up a second, short password beyond the standard password and ask for 2 of the characters of that after entering your normal password but not the normal password itself.
@SandPaper This particular bank (Santander) has two codes: a password and a "security number". They ask for certain characters from both. Surely, they would devise a crazy system like this without good reason, right? RIGHT?!
(Also, fun fact: they use SMS OTP codes on their mobile app, but don't when you log in via a browser. It's all so well thought out.)
@stringlytyped I can't remember what it was exactly but I remember infosec Twitter having a field day with Santander UK. It was probably something tied to Troy Hunt and poor passwords but maybe not this specifically. If I ever get back on there I'll try to look it up.
@SandPaper I did a search. Troy Hunt shared an article about how they don't allow pasting from password managers "for security reasons". Although, I am not sure how it would be possible to use a password manager in that fashion anyway because of this business of asking for specific characters from the password, so ¯\_(ツ)_/¯
@glen226 Cool, thanks for the recommendation 🙂
A Mastodon instance for info/cyber security-minded people.