Menu
Expat.com

More Stupdity From Hungarian Banks

Post new topic

GuestPoster279

I tried to log into my OTP account today with my browser.

The bank has changed their web site and login.

And now the site limits passwords to a maximum of 8 characters. My password is longer. Could not login.

I have worked in IT for many years. And I know about security. There is no need for such a change. Limiting a password length is beyond stupid. Passwords should be stored hashed to a fixed length depending on the hash, so there is no need to limit the raw password length. Especially since just two extra characters beyond 8 can greatly improve security, The bank now even allows passwords as short as 6 characters, which with current computer power is potentially insecure for account access.

This is ridiculous and shows a complete lack of understanding of password security.

Either this change may indicate the bank is storing passwords in plain text, or else they hired incompetent programmers. Either reason is disturbing. So I can not trust this bank's security.

Thus, I will be closing my OTP account.

Recommend others do the same if they use web based account access.

atomheart

Are you saying that at OTP all you need to log in is username+password, no 2fa, or token device? Wow, that's stone age...

fluffy2560

klsallee wrote:

I tried to log into my OTP account today with my browser.

The bank has changed their web site and login.

And now the site limits passwords to a maximum of 8 characters. My password is longer. Could not login.

I have worked in IT for many years. And I know about security. There is no need for such a change. Limiting a password length is beyond stupid. Passwords should be stored hashed to a fixed length depending on the hash, so there is no need to limit the raw password length. .....


That's completely dumb.  2FA is easily the way to go and well developed as a technology. No need for tokens as everyone has a smart phone these days.

But look at that guy Bill Burr who I believe was responsible back in 2003 for promoting using numbers instead of letters - e.g. replacing the E with a 3, A with a 4 etc.   If your password was say, "aardvarkelephantsnake", your password would be 44rdv4rk313ph4ntsn4k3".  That's easily breakable nowadays with brute force.

I was "laughing" at the Iphone X face unlock being broken by twins recently.  I wonder if it works for doppelgangers.

GuestPoster279

All banks have multiple ways to login.

But I said I was logging in with my browser today on my PC. Which I often prefer to do if I have a lot to do, as I do not personally like banking on a small screen. And that uses a three ID system including password as one method of login.

But that was not really my point. Was it.

The point I was making was that the new default password system is a step backwards in security. Which leans toward me wondering about the security knowledge, or lack there of, of the current bank IT managers and developers in general. That is, if you are going to offer password login, don't make it worse that it was before. And if one does, that, to me, it is a potential insight into a maybe bigger inherent security problem.

GuestPoster279

fluffy2560 wrote:

[ If your password was say, "aardvarkelephantsnake", your password would be 44rdv4rk313ph4ntsn4k3".  That's easily breakable nowadays with brute force.


Actually, not necessarily.

There are combination methods, brute force, markov chain, rainbow tables, etc that can crack passwords, but brute force alone is not the ideal method to crack such a long password. A password that long almost always will require a combination of methods to crack. Even so, it is still not that easy. Possible, yes. Easy, no.

Also, while a computer can process billions of brute force attempt per second, to crack a password, most web sites by design slow down the password check process so that it is not practical to crack a password through a web site via brute force. One must have the hashed password on the same computer doing the cracking. Which is why hackers spend time not trying to crack into systems by brute force so much as using back doors, security holes, social conditioning, and other methods to steal the password hash lists. And it is on the hash lists that the most effective combination cracks can be applied.

Ergo, and if a company's IT personnel do not understand the basics of simple password security, I do not put much faith in the company having an overall secure network.

IMHO.

atomheart

klsallee wrote:

But that was not really my point. Was it.


Just trying to get you to rethink this big issue of yours. Does the bank's login interface allows brute-forcing? (I.e. they don't lock your account after 3 failed attempts) Don't they require anything else than the password to sign in and initiate transactions? Then your anger is warranted.

If not, you can still go ahead and waste your time closing one bank account and opening another one.  :top:

fluffy2560

klsallee wrote:
fluffy2560 wrote:

[ If your password was say, "aardvarkelephantsnake", your password would be 44rdv4rk313ph4ntsn4k3".  That's easily breakable nowadays with brute force.


Actually, not necessarily.

There are combination methods, brute force, markov chain, rainbow tables, etc that can crack passwords, but brute force alone is not the ideal method to crack such a long password. A password that long almost always will require a combination of methods to crack. Even so, it is still not that easy. Possible, yes. Easy, no...


I was trying to keep it to a reasonable example because that's the kind of substitution algorithm that people use because it's easy to remember and apply.   

If was me at the bank, I'd look for solutions based on the concept of the 3As - authorisation, authentication and accounting.   Per transaction would then be 3FA:  something you have (usually a smart phone - unique to  end user), something you know (password or keyword) and something you are (fingerprint for example).   Last bit is a pain but not impossible.

My primary concern these days are types of social engineering attacks that don't even involve machines but manipulating people.  Moreover, I am even  more concerned by systematic internal fraud by colluding workers.  But to state the obvious, human beings have and always will be the weakest point in even the most well engineered systems.   

Incidentally, I was surprised to hear today that Uber's CEO paid off hackers.  Amazing.

GuestPoster279

fluffy2560 wrote:

My primary concern these days are types of social engineering attacks that don't even involve machines but manipulating people.  Moreover, I am even  more concerned by systematic internal fraud by colluding workers.  But to state the obvious, human beings have and always will be the weakest point in even the most well engineered systems.


Absolutely.

Because once the human element lets a hacker in, they grab the password hash table, if the passwords are so stored. And if those are stored in something like MD5 ( :o yes, I know some databases that still use that and they need to be updated) then most 6 to 8 character passwords can be cracked in milliseconds. Even worse, if you remember the Linkedin hack. Turned out their database did not even bother to hash the passwords, but kept them in plain text (an unheard of security lapse).

And the other human element : A lot of people still use passwords, and they use the same passwords across multiple sites. No, not smart, but again, human nature. So businesses normally have to consider this. And a proper business is aware if they are a weak link, they can affect other businesses, or vice-versa, so usually try to not be the weak link.

Which is my thesis. And why one should not limit password length to 8 characters if they use passwords at all (and yes there are much, much better methods of security than passwords). Best practices should be upheld, especially for older technology. Not doing so is potentially problematic and may give a view into other potential problems with security protocols (i.e. see Linkedin reference above). In other words, *if* one is going to put a steam train on the main line, one needs to pressure check the boiler and keep everything oiled properly, and not treat is like a more maintenance free modern electric engine. Because old technology can work fine in those places where it is appropriate, but if it fails, it really blows up big time and can cause a lot collateral damage.

fluffy2560

klsallee wrote:

.....
Because once the human element lets a hacker in, they grab the password hash table, if the passwords are so stored. And if those are stored in something like MD5 ( :o yes, I know some databases that still use that and they need to be updated) then most 6 to 8 character passwords can be cracked in milliseconds. And the other human element : A lot of people still use passwords, and they use the same passwords across multiple sites. No, not smart, but again, human nature. So businesses normally have to consider this. And a proper business is aware if they are weak link, they can affect other businesses, or vice-versa, so usually try to not be the weak link.

Which is my thesis. And why one should not limit password length to 8 characters if they use passwords at all (and yes there are much, much better methods of security than passwords). Best practices should be upheld, especially for older technology. Not doing so is potentially problematic and may give a view into other potential problems with security protocols. In other words, *if* one is going to put a steam train on the main line, one needs to pressure check the boiler and keep everything oiled properly, and not treat is like a more maintenance free modern electric engine. Because old technology can work fine in those places where it is appropriate, but if it fails, it really blows up big time and can cause a lot collateral damage.


I'm also still seeing MD5 being utilised even though it was broken years ago.   The issue really is that people are still using legacy systems based upon ancient technology and no-one has the knowledge (or guts) to redo these applications.  There are sites where no-one knows how the machines work, never mind the software.  It also happens a lot that the original programmer has died and left no notes or instructions.    No discipline or governance.

Anyway, if I remember correctly even the DES standard used in ATMs has now been broken.  DES itself might be broken but in ATMs, they apply it 3 times (3DES) in hardware.  The latest standard guidelines is PCC DSS.  The bank should know all this anyway. 

8 characters is just rubbish.  Windows allows passwords up to 127 characters I believe.  It could be you can have a longer password at the bank, but they'll only use the first 8.   I reckon the best length is about 10 (since most us non-mutants have ten fingers) so it's easier to quickly do challenge-response system using your fingers (i.e. enter the 4th and 8th characters of your password).

oh, btw, when I started out using UNIX a zillion years ago, I worked on a few variants where the passwords were in plain text in /etc/password.   The only way to stop people reading them was to use permissions.

GuestPoster279

atomheart wrote:

If not, you can still go ahead and waste your time closing one bank account and opening another one.


It took 45 minutes to close the account at OTP, with the lethargic teller chit-chating with her co-workers the entire time. I honestly thought I was caught in Zootopia.

Then it took less than 10 minutes to open a new account at Raiffeisen. Where the bank assistant was very professional.

For that reason alone, I am glad I switched. OTP has always been a drain on my time.

Marilyn Tassy

Sounds like the same reasons we quit OTP and went with Raiffesien.
So far, so good. We have a forint and dollar count with them.
However, we keep our bank balances very low here, just enough to get by. For some reason we still trust our US bank more even if it is only being able to access them on line or by phone.

fluffy2560

Raiffeisen is an interesting bank.  It's actually a cooperative.  The branches own the centre rather than other way around.   There were some doubts about them previously as they were overstretched in Eastern Europe.

No-one should worry too much about European bank failures - EU rules say they must guarantee your deposits up to 100K EUR (each person if a joint account).  That's probably higher than the US system.  If you have more than that, the scheme is per bank, so the answer is just open multiple accounts - one at each of other banks.

Articles to help you in your expat project in Hungary

  • Banking and Finance in Hungary
    Banking and Finance in Hungary

    Opening a bank account in Hungary is an easy and fast process. Because of the large amount of expats living in the ...

  • Customs in Hungary
    Customs in Hungary

    As a member of the EU/EFTA, Hungary supports the free movement of goods within the EU/EFTA area. There are no ...

  • Buying property in Budapest
    Buying property in Budapest

    Buying a house or a flat can be a good option if you are planning to long term stay in Budapest. However, it is ...

  • Driving in Hungary
    Driving in Hungary

    Hungary has an extensive road network, big parts of which have been recently updated to facilitate traffic. The ...

  • Sports in Budapest
    Sports in Budapest

    Sports is a great way not only to stay fit but also to keep yourself busy during your stay in Budapest. Whether ...

  • Childcare in Hungary
    Childcare in Hungary

    As Hungary is an EU member, it adheres to the EU premise that all citizens should be entitled to equal childcare ...

  • The work culture in Budapest
    The work culture in Budapest

    Congratulations! You have been hired by a company for a job in Budapest. Depending on the position you will ...

  • The taxation system in Hungary
    The taxation system in Hungary

    If youre living in Hungary, you are subject to paying taxes in the country for all the income you may have earned ...

All of Hungary's guide articles