Online Security is getting every day more and more important. It’s so common these days to implement secure password policies, which is at least 8 characters, with minimum 1 special character like @$# …. More and more cooperation’s taking care of Passwords as nearly every day a new “hack incidents “ happens…
We all expect at least banks take care of secure password policies, beside SSL logins or Virtual keyboards. As I said “we expect” but its sad too see some of the banks are not meeting the minimum security requirements or at least our expectaions or even the ISO 27001 or PCI standards in terms of passwords.
This post is a proof on how weak passwords polices are used in some of the Australian Online banking web sites. Yes , they do have SSL but knowing that these days SSL hacking is not “rocket science” , some of the PKI were compromised few times…
I have done a simple Pen testing via login to the SSL protected sites and entered manual passwords, and the result was shocking, at least for me
My first example is National Australia bank (NAB)
1) Only 8 characters of Password is allowed
2) No special characters are allowed
Here is one more example from Westpac
They force users to use the “virtual Keyboard” but only 6 character’s of password is allowed!
My recommendation is do not trust your SSL too much and encourage your customers to use complex passwords, please
A special thanks for the Commonwealth and ANZ banks who has not just SSL, virtual keyboard but also 15 characters password selection choice.
This test will be continued, keep an eye more to come…