mouse clicks for password entry - how secure is this
I hope this is the right place to ask this - it is about security philosophy - not the 1Password software. - I use 1PW as my Password Manager. I have two banking sites I use and use 1PW to bring up the login page for each and to fill in the userid field. I need to provide the passwords to these sites manually because they both provide an on-screen keyboard and mouse click to select characters - to avoid keystroke loggers.
My question is about the effectiveness of this approach to security - presumably this mechanism prevents capture of my password ?
The sites in question - westpac.com.au and ingdirect.com.au have limits on password complexity - westpac password must be 6 alpha-numeric characters in length - at least one numeric digit and ING is worse - must be a four digit number !
Presumably if ever their sites got hacked and the hashed passwords stolen, it would be simple work to get the original passwords.
I'm interested in your opinion about the security approach of these banks have adopted.
Comments
-
In my opinion, the on-screen keyboard is a useful feature if the login is standalone. However, if it makes it incompatible with password managers then that is going to lead to people using reduced complexity passwords which opens up the system to a direct attack on the credentials data.
Even ignoring password managers, 6 alpha numeric characters is ridiculously easy to break should the attackers ever gain access to the database system..
0 -
I need to provide the passwords to these sites manually because they both provide an on-screen keyboard and mouse click to select characters
As much as I appreciate your bank's good intentions, every time they prevent password managers from doing what they were designed to do, they actually make you - the customers - less secure: http://www.troyhunt.com/2014/05/the-cobra-effect-that-is-disabling.html
The sites in question - westpac.com.au and ingdirect.com.au have limits on password complexity
There are no good reasons to limit password length/strength: http://www.troyhunt.com/2011/03/3-reasons-youre-forced-into-creating.html
0