back to article Solid password practice on Capital One's site? Don't bank on it

Capital One is facing criticism for using policies on its banking website that prevent the use of password managers. Joseph Carrigan, a Reg reader and senior security engineer at the Johns Hopkins University Information Security Institute in the US, says he was trying to reset the password for his Capital One bank account …

  1. GlenP Silver badge

    It seems to be common with banking but I had one the other week in an app where not only could you not cut and paste but you couldn't swap between the app and the password manager to check on the password as it would immediately wipe what you'd already entered. With any complexity to the password there's then little choice but to write it down.

    1. jmch Silver badge

      I understand that you shouldn't be able to Cut or Copy from a password field, but you certainly should be able to paste

      1. GnuTzu

        Yet, you'll want to be able to cut/copy from a password manager. Desktop software engineers will need to keep in mind that the clipboard now needs to be treated as a sensitive space, which I hope they were doing anyway.

        1. Anonymous Coward
          Anonymous Coward

          "Desktop software engineers will need to keep in mind that the clipboard now needs to be treated as a sensitive space"

          Indeed. KeePass (other, possibly better password managers are available) will over-write the clipboard if you copied a password after 6 seconds. It'll also emulate keyboard input, getting around the "no paste for you" issues ...

        2. Shadow Systems

          At GnuTzu, re: the clipboard.

          I don't remember the specific article here on ElReg that discussed it, but there was one about how you should disable the ability to Copy&Paste/Drag&Drop because script kiddies had figured out a way to use those vectors as a path to gaining access to your machine.

          In IE it's under Options>Security>Miscellanious>C&P/D&D. I'm not sure about Firefox, Chrome, Safari, Edge, or any other browser, but should be somewhere similar (Security options).

          I had already turned off those capabilities in my browser & so the "Proof Of Concept" site (to test if you were vulnerable) wasn't able to do much, but it was a great eye opener for others.

          HTH & enjoy a pint, it'll help drown your desire to recode the web in LOGO. =-Jp

    2. vtcodger Silver badge

      "With any complexity to the password there's then little choice but to write it down."

      Actually, there is another choice. And it's one you might want to seriously consider. Don't do financial stuff on the Internet. No internet accessible accounts, no need to worry about passwords.

      Given the current state of computer security, the rate at which new problems are being introduced, and the slow rate at which the underlying problems are being corrected, it seems to me that internet banking is only marginally safer than asking a random stranger to watch your wallet while you go swimming.

      In a few years (decades, more like) when the digital Wild West has been tamed, things will presumably be different and of course you'll be able to paste passwords if passwords are still in use.

      1. Robert Helpmann??
        Trollface

        Don't do financial stuff on the Internet.

        Your concerns seem at odds with reality. In as much as there is a way to handle security in any realm, it is hard to argue that it is worse online than IRL. While it is worth calling out companies, applications and web sites that get it wrong, the fact that there is scrutiny on them is more than you get out of physical access to money these days. Ever hear of card skimmers? Hacking ATMs? Perhaps you ought to just hide your money under your mattress or may switch entirely back to barter until the monetary Wild West is sorted.

      2. Amos1

        Working for a bank, I can assure you that is almost impossible. Why? Because pretty much every company makes all accounts available from the Internet by default. So if you don't use it someone else just might.

        You also should set transaction alerts for the smallest allowable amount, usually $1 or $5 because you should always know when one of your accounts is used.

        You can request that Internet access be disabled one account at a time but I've seen many an upgrade enable them without warning.

      3. Shadow Systems

        At VTCodger, re: writing passwords down.

        I've got mine written down. I keep them in a lockbox at the bottom of a flight of unlit stairs in a disused lavatory with a sign on the door that says "Beware of the Vogon poet". I know nobody has broken in & gotten to my papers, I've been writing poetry the entire time. =-Jp

        On a more serious note, when my bank wanted my email address to associate it to my account, I asked why. They said it was so I could do online banking. I asked what if I didn't want to do online banking? They said it would be so they could alert me if anything bad happened to my account. I told them to call me since that would be faster than an email. I refused to give it to them at that time in the belief that if I didn't activate the online portion of my banking account then criminals couldn't hack into it either. I was proved wrong. The fact that I hadn't given them my email meant that the bastards that social engineered themselves into my account set *their* email address as if it were mine. They then set a password lock on my account & froze me out of it. I had to physically go into my bank, refute everything that had happened to my account via the online path, & demand the bank refund all my money. They said it was all MY fault for not having given them my address in the first place. I nearly went over the counter & BEAT that little snot with their keyboard. (Never blame the victim. We're liable to take out our frustrations on you.) I ended up having to activate the online portion with a username, password, & my email address *just so I could prevent criminals from gaining access*. So even though I didn't want online banking, I had to register my online credentials in order to keep my account from getting hacked... Again.

        Do yourself a favor & go visit your bank. Activate the online part, set up all the security hurdles you can, & then Just Don't Use It. If there's ever any online activity on it then you tell the bank it's fraud. How do you know it was fraud? Because *YOU* never did any online banking. Then you get to change all the passwords/security questions, & the bank gets to refund all your money.

        =-|

      4. Zangetsu

        stop being a troll.

        hopefully the register will lock your account.

  2. Alan J. Wylie
    1. Just Enough
      Boffin

      Re: The NCSC agrees

      You don't understand. If passwords should be hard to crack they need to be hard to enter, and their use should be as difficult and laborious as possible for the user. This sounds like obvious logic, doesn't it?

      And users never look for the easiest way of doing something, thereby nullifying efforts to make things hard for them and making the security useless.

      This is why my websites insist the password is entered by ASCII code, in binary, obscured so that you can never see what you've typed. Twice. Take that hackers!

      1. Crazy Operations Guy

        Re: The NCSC agrees

        "This is why my websites insist the password is entered by ASCII code,"

        ASCII is too common, the secure method would be EBCDIC, or BAUDOT if you really want security.

  3. Anonymous Coward
    Anonymous Coward

    Whilst I agree, what happens when you get a nasty that can slurp your clipboard and URLs? I suppose it's the lesser of two evils.

    1. deive

      A good password manager clears the clipboard for you after you've pasted.

      There are also still way too many sites restricting password length as well in my opinion.

      1. Anonymous Coward
        Anonymous Coward

        @deive

        But it still has to go in the clipboard in first place.

        I just keep my passwords on a notebook in a locked safe with the key inside. Never failed me.

        1. Mike 125

          >>Never failed me.

          Sadly, you can't prove that. Absolute certainty is always dangerous.

    2. DavidD

      RE: Whilst I agree, what happens when you get a nasty that can slurp your clipboard and URLs?

      If there's something on your machine in a positon to slurp your clipboard, it's probably slurping your screen and keyboard input too, so you've got bigger issues to deal with.

  4. fnusnu

    ctshirts.com

    Not that you see a techy in a double cuff shirt very often ;)

  5. Drem
    Facepalm

    Drag and Drop

    I've often found that sites that prohibit copy-paste to password fields, don't stop you drag and dropping into the same fields.

    Most (I think) password managers let you do this, so it's a pretty good workaround.

  6. Malcolm Hall

    Bank of Scotland, Nationwide RBS and brokers like Selftrade all block password managers by using insecure enter certain chars from pins and passwords which means the banks are storing these in plain text.

    The “paste dammit” extension can override paste blocking

    1. Killfalcon Silver badge

      Huh, I'd not considered that (my bank does it as well), and now I'm kicking myself.

      They can potentially store them encrypted and decrypt them when needed, but that is obviously less secure than a password that gets hashed and the hashes compared. In theory I guess they could hash each character separately, but that feels like a waste, since you can crack each independently fairly easily. :/

      The flip-side is that these "x letters from password" things are more resilient against other threats, like keyloggers and such. Is that a bigger issue than an internal breach lifting the password table? I don't know, but hopefully the banks have done some thinking on it.

  7. Korev Silver badge

    I used another financial organisation's webs(h)ite the other day which blocked the clipboard. I'd dutifully created a 20+ character password with numbers, upper and lower case letters and symbols. I took three attempts to type it in accurately, by the time I was done I was almost ready to chuck the laptop out of the window....

    1. deive

      Yeah, I have this problem on the XBox - got a nice long strong unique password for my MS account. Then I had to enter that using a joystick. That took a while.

    2. vtcodger Silver badge

      "by the time I was done I was almost ready to chuck the laptop out of the window"

      Are you ever going to need to access that account again? Do you reckon you'll be able to?

      1. Korev Silver badge

        "by the time I was done I was almost ready to chuck the laptop out of the window"

        Are you ever going to need to access that account again? Do you reckon you'll be able to?

        Yes and hopefully :)

    3. Robert Carnegie Silver badge

      YOSH-OULD-DOIT-USIN-GDAS-HES☺

  8. Baldrickk

    Single figure entry

    There are other annoying ways for banks to really put a spanner in the works.

    For me, the biggest is requiring specific characters from your password.

    You can't just copy and paste that either.

    Easy to put in if you have a short password that you remember 1-5-7 of "Abcd123"? "A13" not too hard.

    What about 8-14-17 of "u[==sPDOD`w>d&]nVaUYOU-em+wY:N" erm... well first I need to open up the entry in the password manager, un-hide the password (so it's now in full view of shoulder surfers) and now count the characters, make sure I get the right ones and put them in. er... "O&V"

    I mean, it's not hard to do, but it circumvents filling the password and makes it easier to get your password wrong by miscounting characters.

    Also how do they store the combinations required? Is your password encrypted and not hashed (bad)? or is there a finite set of hashes of character combinations (terribly inefficient with space, and it's doubtful that they are going to pre-calculate every possible combination)

    1. DwarfPants
      Coat

      Re: Single figure entry

      <sarc>They probably store a hash of each individual character. That will keep it secure.</sarc>

      1. Killfalcon Silver badge

        Re: Single figure entry

        Surprised that password managers don't have a "three named chars" function yet, since it does come up a lot.

        1. FrogsAndChips Silver badge

          Re: Single figure entry

          KeePass can do it:

          https://keepass.info/help/base/placeholders.html#pickchars

        2. Paul 195

          Re: Single figure entry

          > Re: Single figure entry

          > Surprised that password managers don't have a "three named chars" function yet, since it does come up > a lot.

          Password Safe does (https://pwsafe.org)

    2. FrogsAndChips Silver badge

      Re: Single figure entry

      HSBC also do that. They ask you for an answer to a memorable question, then either an OTP (for sensitive operations like payments) or, for read-only access, a set of characters from your password (from experience among the first 5 or last 2). Since I don't trust how they store the password for the same reasons as you mentioned, I've created a random complex string for the 'memorable answer' that I retrieve from my password manager and a simple password from which I can easily pick a few chars. Of course that assumes that the memorable answer itself is securely stored.

    3. Hans 1
      Joke

      Re: Single figure entry

      Also how do they store the combinations required?

      British banks ? in clear text, in an MS Access database on an open-to-the-world AWS bucket in the states!

      What did you expect ?

      No, seriously, if they ask for n'th character, they have it in clear text!

      If they have it in clear text, their techies are idiots.

      And where do idiotic techies store sensitive shit ? in an open-to-the-world AWS bucket, somewhere ... I love argument from ignorance, but I think I am not too far off, here ...

    4. Time Waster

      Re: Single figure entry

      Thumbs up for the idea of storing hashes of different combinations. Though there’s no way I credit many banks with coming up with (or caring about) doing so. Realistically if, like my bank, they only ask for 3 characters at a time, it wouldn’t take much to brute force those hashes anyway... My bank does ask for a secondary password (I think they call it a memorable word), which I guess (again, assuming a massive amount of faith in their security / engineering teams) they could be storing hashed with these different pre-chosen combinations...

  9. theModge

    There's an addon for that

    Entitled: "Don't fuck with paste". Exists for chrome and firefox. Also helps with sites that think you'd like to type your email address twice.

    1. FlamingDeath Silver badge
      Pirate

      Re: There's an addon for that

      Interesting, and what is the privacy policy for said "addon"?

      https://addons.mozilla.org/en-GB/firefox/addon/don-t-fuck-with-paste/

      Permissions

      This add-on can:

      Access your data for all websites

      Access browser tabs

      https://blog.mozilla.org/addons/2018/02/01/understanding-extension-permission-requests/

      "There is one permission in particular, “Access your data for all websites”, that we’ve gotten many questions about since the feature launched. The reason why it’s worded this way is because a web page can contain virtually anything, and some extensions need to read everything on it in order to perform an action based on what the page contains.

      For example, an ad blocker needs to read all web page content to identify and remove ad code. A password manager needs to detect and write to username and password fields. A shopping extension might need to read details of the products you’re searching for.

      Since these types of extensions wouldn’t know whether any particular web page contains the bit it needs to modify until it’s loaded, and neither does Firefox, it needs access to everything on a page so it can look for and modify the appropriate parts. This means that in theory, while rare, a malicious developer could tell you their extension does one thing while it actually does something else."

      Thankfully, most people in this world are honest and upright. Unfortunately, a disingenuous monetary system means sometimes people will be tempted to defraud others.

  10. Chris Hills

    Try typing this password

    Edit, el reg does not handle unicode very well...

    "The post contains some characters we can’t support"

    The original was, as unicode codepoints: U+00F6 U+00BB U+0182 U+0236 U+00AE U+0130 U+014B U+01EC U+1F61B U+0116 U+1F63C U+2601 U+1F633 U+262D U+263E U+0147 U+2628 U+1F62A U+022B U+262C U+2649 U+1F63D U+00CF U+0137

    Or in HTML escaped: &#x00F6;&#x00BB;&#x0182;&#x0236;&#x00AE;&#x0130;&#x014B;&#x01EC;&#x1F61B;&#x0116;&#x1F63C;&#x2601;&#x1F633;&#x262D;&#x263E;&#x0147;&#x2628;&#x1F62A;&#x022B;&#x262C;&#x2649;&#x1F63D;&#x00CF;&#x0137;

  11. Anonymous Coward
    Anonymous Coward

    Banks - Can't live with them / Can't live without them

    Here's a shout out to Allied-Irish-Bank for any passing Hacker. Max Password length is 5 numbers of which 3 must be entered at any one time.

    WTF?

    Who needs a password manager!!! On another banking site CTRL-C / CTRL-V is disabled but right-click paste works. Block it right or don't bother!

  12. Chemist

    I use very long 'difficut' passwords for financial sites etc. generated by a program on the fly from a passphrase. The main site that I have trouble with is loging into Skype where paste doesn't work - however Ctrl-V does !

  13. 0laf
    FAIL

    They could do proper two factor authentication which would be a massive boost in security for customers but that would cost money therefore the customer can go to fuck.

  14. MS Surface
    Happy

    No issues here...

    Works fine on any of my MS Surfaces Windows 10 Pro and MS Lumias Windows 10 Mobile using OneLocker Password Manager.

  15. sitta_europea Silver badge

    Why all this worry about passwords? The banks still haven't cottoned on to DNSSEC so it's all screwed anyway - must be five years I've been banging on about it.

  16. Aodhhan

    Don't forget

    ...when you use copy/cut and paste, you're leaving behind the information on a notepad which survives reboot; and this notepad is easily retrievable.

  17. Cavanuk

    Not banks but I've encountered many sites that limit password length and don't allow special characters. It's ridiculous. Do they want your account hacked?

    1. Anonymous Coward
      Anonymous Coward

      This.

      Maximum password lengths are an absolute pain and serve no purpose. Since they'll be hashing them anyway (RIGHT?) then the length doesn't actually make any difference to them.

      Having said that, I did come across a domain registrar who stored passwords in plaintext...though they never admitted it, they did ask me to email them several characters from my password so they could verify it was me...how would they know?

  18. rebelcode

    British Gas and E-bay do this too

    British Gas allow you to paste a new password in but to confirm it you have to type it in. An email discussion with them confirm that's by design too. Ebay also don't allow pasting of passwords when setting your password, and email conversation with them shows that's deliberate as well.

    I know that it's not exactly the same subject but there are also websites that have really stupid password policies. The most immediate one that comes to mind is Lambeth Council where a password now must be no longer than 8 characters, whereas about 4 years ago you could have up to 16 characters. Email conversations with them over the years shows a worrying lack of understanding abotu password security. On the plus side you can paste passwords

  19. csimon

    Capital One have an odd view of security, so much so I recently stubbornly cancelled my long-standing credit card with them after they stubbornly refused to admit they'd dropped the ball. They'd brought their outsourced customer portal in-house therefore it had been rewritten and required everyone to set up their account again. But they forced two-factor authentication via SMS to activate it, where the one-time code expires after 10 minutes. I live in an area where there is no mobile reception, so there was actually no way I could activate the new portal, while sat at home. I couldn't drive up the road to where there is a signal in order to receive the code because by the time I got back it would have expired. I tried to contact them, which was difficult as there were no contact details or help info on the registration page and you have to go through hoops to contact them, but their only reply was to use someone else's computer to register, where there will be mobile reception. Using an unknown network/computer is aginst their own secutiy advice, and SMS TFA is now starting to be considered insecure anyway. For a bank that is supposed to take security seriously, they don't instil any trust that they actually know what they're doing.

    1. Drew Scriver

      SMS auth for poor/no mobile coverage

      I too live in an area with poor cell phone reception, which does pose a problem for MFA. Although I wished more companies would add U2F keys (or even old-fashioned fobs), I have found that getting a Google Voice number works in most cases since SMS messages are forwarded via e-mail.

  20. Anonymous Coward
    Anonymous Coward

    Three random words written down ?

    But what I recommend to family and friends is to go down the three random words (UK govt campaign?) route and write them down. WAIT...

    AND have a short random and easy to remember string (first letters of a line of a song perhaps) which you don't write down and which forms the fourth word. So 'Mary had a little lamb' becomes Mha1l and goes on the end of every password.

    It's much easier to read three words off the page than 16 random punctuation symbols and I'm afraid most people can't be bothered with a password safe anyway. So this encourages a long and secure password,which is easy to type in, but also simple to vary between sites.

    Of course you have to keep the secure bit secure. A song is easy to remember but a password safe is a fallback.

    I think this meets the 'horse battery correct staple' test but would someone like to take it apart for me ?

    (And personally I never type a bank password in original character order. Type, move cursor with mouse, type some more, repeat. Doesn't stop MITM but makes the keylogger route a leeeeetle harder. Sadly mobile apps seem to be blocking this nowadays and wiping the field completely if you leave it.)

  21. hellwig

    Two-factor Auth

    Everytime I log into Capital One, they require a security code. They will email it to me, text me, or send it through their phone app. I end up closing my computer's web browser and using the phone app for everything (they still text or email a security code, but now it's at least only one device I'm working with).

    I guess my point is, I don't need a 30 character password on my Capital One account, I just need to make sure my eMail and Phone are as secure as can be.

  22. dougkiwi

    Terms and Conditions might be the real enemy

    Seriously. Some banks, like one near me, have it in their Terms and Conditions that online account passwords must never be written or stored ... which means no very complex passwords and no password managers. Not sure if they hard-limit or truncate ... wouldn't that be funny? No correcthorsebatterystaple then.

    So even if they allow pasting, if you have any issue with fraud and they find out you used a password manager, they will be legally entitled to put the entire cost on you.

    Banks and PCI DSS are becoming part of the problem, with archaic security approaches.

  23. ma1010
    Mushroom

    Another miscreant who blocks password managers

    21st Century Insurance. Wankers.

  24. Crazy Operations Guy

    I miss my old bank

    I used to sue a local credit union that was founded by a bunch of employees of a computer security firm, unfortunately they got bought out by some regional crap bank that in turn got acquired by Capital One. But, in any case, they didn't fuck around with passwords, rather they just used smart cards and gave away the readers to whoever needed one (The employees would have one anyway). You could create your certs if you had the know-how and they'd just sign add it to your account login. Multiple certs could be placed on a card and each could be restricted to certain functions.

    This was a small credit union that held, maybe, $2mil in assets, and in 1998. How is it that 20 years later, they are still ore secure than the vast majority of banks, especially those that are sitting on a trillion+ USD in their vaults?

    1. Robert Carnegie Silver badge

      Re: I miss my old bank

      Up-vote me if you meant "I used to use", but, since a dollar denominated company presumably means you're in the U.S., could be either.

  25. Anonymous Coward
    Anonymous Coward

    TIAA

    TIAA.org blocks copying/pasting of credentials. Also limits to 20 chars and doesn't allow special chars. Oh and only SMS for 2FA.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like