Who cares about password security? NatWest don’t

In light of recent cracking events there has been a lot of discussion about password security, including from me about how I’ve switched to 1Password. Today I was reading a blog post about how Electronic Arts hate strong passwords and it reminded me of a much worse example from my bank, NatWest.

NatWest Credit Card Services (not their online banking service, that is clearly a different division and imposes different restrictions) impose the most ridiculous restrictions I have ever seen for password security. They require your password to be between 6-8 characters and only contain alphanumeric characters.

They do at least, use the age-old method of protecting against keyloggers (except ones that take screenshots) by only requesting certain characters from your password:

But that makes me wonder: If they can query you for exact characters, are your passwords encrypted in a reversible manner? I wonder if anyone can shed some light on the incredibly brilliant security I’m sure NatWest have…

NatWest have no email address, but I’m planning on writing to them about this with a link to this blog post. If you bank with NatWest, I suggest you do the same (even if you don’t use their online credit card services) to express your concern about their security when they impose such stupid restrictions.

For other companies with stupid password restrictions (and even stupider ‘reasons’), see ‘London Midland on Password Lengths‘.

This entry was posted in Blog, Security. Bookmark the permalink.
  • “If they can query you for exact characters, are your passwords encrypted in a reversible manner” 
    No, 

  • “If they can query you for exact characters, are your passwords encrypted in a reversible manner?”
    I’d expect they’re one-way hashing on a character-by-character basis with some salt. Or at least I hope that’s the case.

    • So there are what…62 possible hashes (per salt)? Sounds very dumb.

  • Thom

    Why do you care about the length of your password? Are you of the impression that someone would be able to brute force it? They’ll lock your account way before that. Plus, they also require you to use your card and card reader to verify any payments you make online, so even if you told an attacker your password (and PIN), they still wouldn’t be able to steal your money.

    Nevertheless, I look forward to hearing their reply to your letter.

    • Nope, this is Credit Card Services, I can make payments and transfers once I am logged in, they just ask for a couple more characters of my password. Granted, NatWest would be able to give me the money back.

      But more to the point is this: it encourages poor security, and it makes you wonder how they are storing your data and/or passwords if they think that 6-8 alphanumerics is good enough. Imposing a limit like that has been a conscious decision, and it worries me that people in charge of my money make stupid decisions like that.

  • Claude

    My bank is even worst, 6 alphanumeric characters…

    • I hear that some banks just require 6-8 digits; no characters allowed.

  • Anonymous

    I just checked on my Natwest online banking thing and not only is my password longer than 8 characters but it also requires my card reader to let me change my password, just like it does if I wanted to add a new person to transfer money to. Are your images really old and you’re just remembering them for this blog post or are you on some other, more different and especially insecure version of Natwest online banking?

    • As I said in my post, this is NatWest Online Credit Card Services (you’ll see it as a little tab with ‘NEW’ next to it when you go to login to online banking).

  • Pingback: The Security Hall of Shame | Irreal()

  • Guest

    I find it very difficult to ever actually access my own account, never mind anyone else doing it! In order to do a simple transfer, I need all my paperwork out plus my card reader so any banking requires a whole office rather than ‘on the go’ like I did with Santander. After a ridiculous amount of security, I then get confirmation of transfers and then, 2 days later, I get a security call asking me to confirm certain details WTF! When I refuse to give personal details to someone who has called me without verifying who THEY are, I am told I have to go into branch to make the transfer! I have been with Natwest for 3 months and so regret switching.

  • Pingback: How do some sites (e.g. online banks) only ask for specific characters from a password without storing it as plaintext? | XL-UAT()