How Many Different Passwords Will Your Bank Accept?

Do you use upper and lower case letters in your Internet Banking passwords in an attempt to achieve additional security?  What if I told you that in many cases it did not even matter? The FFIEC (Federal Financial Institutions Examination Council), rightly makes the claim that upper and lower case characters in the password provide a stronger defense against password cracking programs (see citation below). The math suggests that using upper and lower case characters increases the entropy, and thus the password strength, by a factor of 26 for each character used in the password. The problem is that many Internet Banking sites do not enforce the original case.

If a site is case sensitive it requires the case of a presented password match the case of the password originally set. Users can increase the strength of their authentication by varying the case of their password. This forces password guessing or brute force techniques to go through many more possible values. The problem is that some banks seem to have technical or policy limitations that are not disclosed to their customers. The limitation that I recently discovered is with the case insensitive nature of several Internet Banking platforms. Specifically, I have discovered that passwords that I originally set with upper case characters were completely case insensitive. In other words if I set a password of FooBar21, I could subsequently log on with at least 64 different passwords:

FooBar21
foobar21
Foobar21
FOobar21
FoObar21
…..

Looking at this from a mathematical standpoint using a character set consisting of upper and lower case letters as well as numbers yields 62 possible values per character. For an 8 character password there would be 218,340,105,584,896 possible values. If I hadn’t tested the Internet banking site, I would have assumed my password to be that strong. However the sites I tested desensitized the password case. Therefore the possible number of combinations was a much lower value of 2,821,109,907,456, less any factor for special characters. Although that still sounds adequate, the difference is a staggering 208,827,064,576 possible values.  In other words my password strength was reduced in a manner similar to using a shorter password.

I guess many people could look at that and simply think that there is nothing wrong with that. There is still a lot of entropy. Who should define how strict the interpretation of passwords should be anyway? I could actually agree with that if I expected it to work that way. The problem for me is that I actually expect that the passwords ARE case sensitive.

We usually find case sensitive passwords almost every where else. Logging into corporate networks almost always requires a case sensitive password. If you want to experiment with your environment, try pressing the cap locks key prior to logging in. If banks are not requiring the password case to match, they need make this ABSOLUTELY clear to their consumers. That would allow users to be informed and hopefully more security conscious about the other aspects of their passwords.

I have personally tested this with five banks of significant size and found that all of them desensitized the case of my Internet Banking password. I followed up with each of them. Each bank provided a response, but none provided any documentation or response that indicated that I had been made aware of the limitations of their systems in regards to honoring password case. One argument, which I totally disagree with, even seemed to suggest that the security of the password is almost irrelevant because of Mastercard’s limit of liability. I have provided links to the discussions below.  Modifications to the originals were only made as required for privacy to individuals.

Although this issue weakens the perceived (or assumed) strength of one factor of authentication, it is not the Achilles heel of online banking. I would classify this as a low to intermediate risk depending on the mitigating controls employed by each specific bank. For example, if there are any type of brute force mitigation controls in place, the account should be locked out far before the password could be guessed. This is true even with the password being weaker than expected. More importantly, most banks use a heuristic approach to determine if a user is attempting to authenticate from a foreign location or device. When this happens, an additional level of authentication is required. For the typical bank that has these controls properly deployed, the consumer most likely has adequate protection.

My opinion of password authentication is requiring an exact match of what I originally set it to. Any variant should be an authentication failure. Obviously, at least some banks believe that this should be more lenient. I would have less of a problem with the approach that these banks are taking if they make the consumer aware of that fact. As a consumer, I should have the ability to create a password that I can appropriately gauge its strength. If banks choose to normalize my password in any way, I think they should disclose this so I can add additional entropy as I believe to be appropriate.

Quotation:

Password composition standards that require numbers or symbols in the sequence of a password, in conjunction with both upper and lower case alphabetic characters, provide a stronger defense against password-cracking programs. (Source FFIEC)

Research


12/21/2011–My message to American Express

I have recently noticed that the password that I originally set with no longer required the case to match. In other words, my password is weaker than intended due to the fact that this site accepts my password in upper or lower case. Is this a known issue?

12/22/2011–American Express Response to me

Response (Name Removed for Privacy)     12/22/2011 11:46 AM
Dear Paul E. Stewart,Thank you for writing in.I understand that you are facing issue with your online password.I request you to call our Online Service Team at (800) 297-1234 (24 hours/7 days) and one of our technical specialists will be able to guide you through the process and advise you about the details while you are on the phone.I hope your issue is resolved at the earliest.We look forward to hear from you soon.
Sincerely,Name Removed for Privacy
Email Servicing Team
American Express Interactive Services

12/26/2011–My Follow-up to American Express

I’m very busy and don’t understand how calling in can actually make a difference. My issue is not with function, but with the fact that I was not aware of the case insensitive nature of the password implementation. According to the FFIEC, using upper and lower case in the password is a way to increase the entropy and strength of the password. American Express’ implementation of the password authentication ignores the case of the password. Therefore as a consumer, my password was weaker than I expected. Can you forward me the terms of service section that explains that password validation is case insensitive?

================== Original Message == == == == == == == == == == == == ==

<–original message removed for brevity–>

 

12/26/2011–American Express Reply to Me

Dear Paul Stewart,

Thank you for your comments about our online services.

We appreciate your feedback and we will share your comments with our leaders. We take the security of your account very seriously. We also have significant measures to keep your account protected online. If you’d like to discuss your concerns with us, please call our specialized Online Services team at 1-800-297-1234 (24 hrs/7 days). From outside the United States, please call collect at 1-336-393-1111.

Thank you for your Cardmembership.

Sincerely,
Name Removed for Privacy
Email Servicing Team
American Express Interactive Services
Return to List of Banks


12/21/2011–My Message to BBandT

I have recently noticed that the password that I originally set with no longer required the case to match. In other words, my password is weaker than intended due to the fact that this site accepts my password in upper or lower case. Is this a known issue?

12/21/2011–BBandT Reply to Me

Dear Paul <middle name removed> Stewart:

Thank you for contacting BB&T E-Mail Support regarding BB&T OnLine Banking Security Enhancements.

BB&T is implementing a new security feature in BB&T OnLine that adds an extra layer of protection to your online account. The new security feature includes questions and answers that are personalized by you, creating additional security to protect your account from unauthorized use.

We are implementing system enhancements to further secure your private account information. There are a series of new features that will impact how you access your account information and interact with certain pages and elements within BB&T OnLine. BB&T is dedicated to protecting your account information with the latest technology available.

Please contact BB&T OnLine Support at the toll-free telephone number below for further assistance.

If we can provide additional assistance, please contact our OnLine Support at 1-888-228-6654. OnLine Support Associates are available to assist you from 6 a.m. to 12 midnight, ET, seven days a week. Our hours of operation for Technical Support are Monday through Friday, 8 am to 6 pm.

Thank you for using BB&T OnLine. We appreciate your business!

BB&T E-Mail Support

12/23/2011–My Follow-up Message to BBandT

Thank you for the rapid response. Will it change the strength of the first factor of authentication by rectifying the issue of not interpreting case correctly? One of the FFIEC recommendations is for consumers to used varied case to strengthen passwords. The method employed by BBT for normalizing case weakens that first factor (password) of authentication to a point weaker than myself (as a consumer) had intended.

12/26/2011–BBandT Reply Message to Me

Dear Paul <middle name removed> Stewart:

Thank you for contacting BB&T E-Mail Support regarding the password for your BB&T OnLine Banking.

In order to receive assistance with your request, please call our BB&T OnLine Support at the toll-free telephone number below.

If we can provide additional assistance, please contact us again by e-mail or by telephone at 1-888-228-6654. OnLine Support Associates are available to assist you from 6 a.m. to 12 midnight, ET, seven days a week. Our hours of operation for Technical Support are Monday through Friday, 8 am to 6 pm.

Thank you for using BB&T OnLine. We appreciate your business!

BB&T E-Mail Support

 

Return to List of Banks

12/21/2011–My Message to Chase

MESSAGE:I have recently noticed that the password that I originally set with no longer required the case to match. In other words, my password is weaker than intended due to the fact that this site accepts my password in upper or lower case. Is this a known issue?

12/21/2011–Chase Response to Me

Dear Paul Stewart,

I am writing in response to your e-mail inquiry.

Thank you for sharing your feedback regarding the password
setup for your online account with us. I forwarded your
feedback to our Internet Group for review.

I understand that you are concerned with your account?s
security and we want to assure you that protecting your
information is our top priority. We have some of the
industries most sophisticated systems that help to prevent
unauthorized access and use of your account. You are
fully protected by Visa and MasterCard?s $0 liability
policy. In the event of unauthorized purchases, you would
pay nothing.

If you have any further questions, please reply using the
Secure Message Center.

Thank you,

Name Removed for Privacy
Email Customer Service Advisor

1-800-436-7927

Account is owned by Chase Bank USA, N.A. and may be
serviced by its affiliates.

12/23/2011–My Follow Up Message to Chase

There are other issues concerning account protection than the financial aspect. Weak credentials can be used for things that are outside the scope of transactions alone. My question was in regards to the password not how the limit of liability. If I set a password of “foobar”, there should be one password that is accepted–“foobar”. With the current implementation of authentication, at least 64 passwords are accepted:

foobar
Foobar
fOobar
FOobar

and so on.

According to the FFIEC, a recommendation is to vary the case of the password in order to increase security of the authentication. The method of authentication provided by Chase does not creates a situation in which that the consumer thinks the password is more secure than it is. Did I acknowledge this somewhere and overlook the fine print?

12/23/2011–Chase Response to Me

Dear PAUL STEWART,

Thank you for taking the time to contact us again in
regards to the security issue for you online profile.

Let me inform you, we are aware that according to FFIEC (
Federal Financial Institutions Examination Council’s ),
passwords need to be case sensitive, however, I can assure
you that we do have a secure way of verifying your
account.

Please note that we use MFA – Multi Factor Authentication
to verify your account which means that whenever, you try
to login to your account using a different computer, it
will prompt you to enter the unique Identification code.
Without which you will not be able to login.

Additionally, you are fully protected by Visa and
MasterCard?s $0 liability policy. In the event of
unauthorized purchases, you would pay nothing.

I hope that I have taken care of your request. If you
have any further questions, please reply using the Secure
Message Center.

Thank you,

Name Removed for Privacy
E-mail Customer Service Advisor

1-800-436-7927

Account is owned by Chase Bank USA, N.A. and may be
serviced by its affiliates.

 

Return to List of Banks

12/21/2011–My Message to Citi

12/21/2011

From:   pestewart
Subject:   Password Strength
Date:   December 21, 2011 8:50 EST
I have recently noticed that the password that I originally set with no longer required the case to match. In other words, my password is weaker than intended due to the fact that this site accepts my password in upper or lower case. Is this a known issue?

12/21/2011–Citi Reply to Me

From:   [email protected]
Subject:   Re: Password Strength
Date:   December 21, 2011 8:52 EST
Dear Valued Client,We regret any confusion. The password field has never been case sensitive. If you feel the current password is not strong, you can change it online. To change your Password, please select Edit Account Preferences from the Account Profile menu. You may be prompted to answer your Security Questions at this point. If prompted after you have successfully answered your Security Questions, please click the ?Make changes? link to the right of the Password. Be sure to ?Save changes? when you are done.Note: If you are currently unable to answer the Security Questions, please call 1-866-544-5534 to have them reset. Representatives are available 24 hours a day, 7 days a week. If you are outside the U.S., please call us collect at 702-797-5703.Your satisfaction is our top priority, and it matters to us that we satisfy all of your financial needs.

Thank you for using our website.

12/21/2011–My Follow-up Message to Citi

From:   pestewart
Subject:   Password Strength
Date:   December 21, 2011 10:09 EST
Thank you for the quick response. Is there somewhere that you know of that states this? I’ve noticed that it is actually an FFIEC recommendation that upper and lower case be used to increase password strength. The normalizing of case in the password negates this.

12/21/2011–Citi Response to Me

From:   [email protected]
Subject:   Password Strength
Date:   December 21, 2011 10:10 EST
Thank you for your inquiry.We appreciate you taking the time to contact us with your suggestions and comments. They are a valuable resource and will help guide us as we continue to enhance our service. We have forwarded this information to the appropriate department for further consideration.Please know that we?re working every day to improve our service and that we will not be satisfied until you are.

Thank you for using our website.

Return to List of Banks

12/21/2011–My message to PNC

BalanceAccount
12/21/2011
Regarding the security of internet banking, I have recently noticed that the password that I originally set with no longer required the case to match. In other words, my password is weaker than intended due to the fact that this site accepts my password in upper or lower case. Is this a known issue?

12/26/2011–PNC Response

Re: BalanceAccount
12/26/2011
Dear Paul Stewart, Thank you for contacting us through secured email. We apologize for any difficulty caused by our delayed response.We can understand your concern, however at this time the passwords are not case sensitive. We greatly appreciate your business at PNC Bank, and we hope that our response has satisfied your banking needs. Should there be any other questions or concerns, please feel free to send us a message from your message center, or contact us at 1-888-PNC-BANK / 1-888-762-2265 (7 AM – 10 PM EST Monday-Friday and 8 AM – 5 PM EST on weekends). Happy Holidays, Janice Bussey Internet Client Services PNC Bank Original Message Follows: ———————— Regarding the security of internet banking, I have recently noticed that the password that I originally set with no longer required the case to match. In other words, my password is weaker than intended due to the fact that this site accepts my password in upper or lower case. Is this a known issue?

12/26/2011–My follow-up inquiry to PNC

Re : Re: BalanceAccount
12/26/2011
So the password not being case sensitive is expected behavior? I guess I can understand that, but would have expected to be made aware of that fact. It is noted by the FFIEC that using upper and lower case characters is a way to increase the strength of a password. As a consumer, I wasn’t aware that the case was not being considered in my password. Is there something in the terms of service that would have made me aware of that fact?

12/29/2011–PNC Response to Me

Re: Re : Re: BalanceAccount
12/29/2011
Dear Paul Stewart, Thank you for contacting us through secured email. We apologize for any difficulty caused by our delayed response. Please contact our Internet Client Services Group at 1-800-762-2035 and our specialty consultants will be able to look into the problem and assist you more appropriately (7 AM – 10 PM EST Monday-Friday and 8 AM – 5 PM EST on weekends). We are sorry for any difficulty that this causes. We greatly appreciate your business at PNC Bank, and we hope that our response has satisfied your banking needs. Should there be any other questions or concerns, please feel free to send us a message from your message center, or contact us at 1-888-PNC-BANK / 1-888-762-2265 (7 AM – 10 PM EST Monday-Friday and 8 AM – 5 PM EST on weekends). Happy Holidays, Lindsey Breidigan Internet Client Services PNC Bank Original Message Follows: ———————– So the password not being case sensitive is expected behavior? I guess I can understand that, but would have expected to be made aware of that fact. It is noted by the FFIEC that using upper and lower case characters is a way to increase the strength of a password. As a consumer, I wasn’t aware that the case was not being considered in my password. Is there something in the terms of service that would have made me aware of that fact?

Return to List of Banks

No related content found.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Other. Bookmark the permalink.

4 Responses to How Many Different Passwords Will Your Bank Accept?

  1. Pingback: Password Length Limitations — Always an Indication of Clear Text Storage? | PacketU

  2. Bernhard says:

    Same happened to me today, Mai 2013 @ Chase..

    Chase made me choose a 8 digit minimum and never made me aware they normalize the password or my user name. As this is merely a technical detail of programming code (probably a snippet of code available since roman times) It is a strong indicator the bank

    don’t care about the customer anymore.. I am withdrawing my money and close my accounts today – the only way they learn :/

  3. Phil says:

    Not to revive an old article, but I have just spent about ten days going back and forth with Capital One customer service, account manages and back office teams contesting the same point. What’s worse for Capital One is that my original password was treated as case-sensitive until they changed their authentication system sometime within the past year. I don’t remember ever receiving a notification of the switch to case normalization, and was rightfully upset to find that my password was now 1000 times easier to crack than I believed it to be.

    • So when it goes from a case sensitive method to a case insensitive method, one really has to think about how that is possible (unless they know the password and can process). Passwords should be stored in irreversible hashes. So one could arguably make passwords insensitive from the start by normalizing the case consistently in client application or browser, transmitting securely and hashing on the server. However this would not allow to switch to an insensitive method.

      I really wonder how many of these sites are storing these as encrypted only (as opposed to only storing the hash). I would probably ask how the could even know my original password to make it case insensitive (that would be an interesting conversation).

      I think part of the problem is that no one will actually know. Some of this stuff is outsourced to a 3rd party, using code from fourth and fifth parties. As a consumer, you will actually find challenges finding someone technical in an infosec role that can talk to you.

      Getting a clear understanding of these systems end-to-end is a challenge. Not being a road block to innovation is also a challenge for the Bank’s infosec team (especially when the Bank down the street is rolling out new features and they need to keep up). None of this makes it right, it is just the world we leave in.

      Kudo’s on being a responsible user and noticing this usability “feature” — AKA security gap.

Comments are closed.