Shoddy security from “secure” institutions…again

Bryan Bennett
GT Usable Privacy and Security Course
4 min readJan 18, 2019

Were I to ask you which institutions were most in need of secure login mechanisms, I would expect that within your top 5 answers would be both financial and medical institutions. These institutions deal with some of our most intimate data, and obviously require high standards when it comes to the security of the authentication mechanisms used to prove that a user is indeed who they say they are. Unfortunately (but in a surprise to absolutely no one with a passing interest in security and a Twitter account), these very same groups are consistently ranted and raved about for the arbitrary requirements placed on their authorization fields.

Recently, my wife and I decided to pull the trigger on a trip abroad and for the last few years have been saving the points accruing on my credit card. Scott’s Cheap Flights notified us of a deal on travel to Canada and we decided to try and book a flight using these accrued points to help offset the cost of the trip. While staring at the log-in screen for this particular institution’s reward website, I had a realization: I had literally no idea what the password to this site was. No worry — I clicked on the “Forgot username / password” link, filled in my Social Security Number and Account Number, received the two-factor authentication link via my phone, and was promptly taken to a screen which cued me to generate a new password. Great!

Well, all until I attempted to actually generate the password. As a user of the amazing pass utility, I opened a terminal and typed in

pass generate the_banks_name 32

which promptly spit out 32 characters of noise. I proceeded to paste that in the provided inputs and was greeted by the following

What? How does this make sense?

Now most of these are perfectly reasonable requirements. They’re obviously trying to enforce a decent character set and length so that brute forcing isn’t a problem, encouraging no reuse of the user’s passwords, and…what’s that? No repeated characters? No consecutive characters? Excuse me?

Unfortunately, the password I had generated broke the last two mentioned rules. Despite being quite literally 32 characters of random noise, it wasn’t secure enough. So I generated a different password…which didn’t pass either.

And another password which failed. And another. And another. And another. And so on.

You see…one of the benefits of password managers like pass is that they generate a good password and remember it for you so you don’t have to. But it turns out its quite difficult to program Cool Bank’s arbitrary rules into these systems (even impossible in pass). You simply cannot tell pass to abide by these arbitrary rules. In the end, I generated about 20 passwords. None of them worked. I gave up, vowed to come back later that evening, and hit the back button.

And was greeted by the Cool Bank dashboard — the one that appears after you have logged in.

Not only had this institution managed to make me so frustrated that I abandoned the process but they’d also failed to consider the implications of making it to this screen and abandoning the process. While this isn’t a huge problem security-wise (I had already proven my identity with my SSN, account number, and two factor authentication response), it does reveal a lot about the institution that designed such a website. It says that they truly believed in the demonic rule set that they enforced. It says that they probably didn’t test every abandonment routine for the process as they implemented it. It says that they probably didn’t take my security as seriously in their design as their stupid password rules seem to imply.

While writing this article, I have logged back in (using the same process as above) and changed my password and in the process managed to replicate the logged-in-but-don’t-know-your-password bug. I’m honestly not sure what else to say about it other than “well, they are a bank.” This resignation to the idea that certain institutions think they know better than their users is just wrong. There has to be a better way to enforce password complexity (if you want to do such a thing). Maybe (hopefully) this semester, this class will come up with one. Until then though — we just have to admit that Cool Bank knows more than we do and will have to play by their rules.

--

--