South African bank advises against the use of password managers (opens in new tab)

(twitter.com)

58 pointsbuyx6y ago74 comments

74 comments

53 comments · 13 top-level

mcv6y ago· 12 in thread

I'm frequently baffled when I encounter a login form that doesn't allow pasting a password. Of course with developer tools I can just remove the attribute that causes that, but plenty of internet users lack that level of technical knowledge and are forced to resort to easy to member and very likely reused passwords.

I feel like this is a similar red flag as the 'no single quotes in passwords' limitation that used to be common.

pwg6y ago

With Firefox (at least the desktop version) one can set this about:config option (dom.event.clipboardevents.enabled) to "false" and websites can no longer block you from pasting things into form fields on your own browser on your own computer.

cik6y ago

By far the best comment in this thread. Thank you.

Any idea if that syncs as a regular profix sync?

sdinsn6y ago

Thanks, I've been wondering if something like that is possible.

moviuro6y ago

I prefer to use the autotype function of password managers (Ctrl-V on Keepass[0], and rofi-pass[1] for pass(1)); there are other issues with them though (such as "modern" login pages [2])

[0] https://keepass.info/help/base/autotype.html

[1] https://github.com/carnager/rofi-pass

[2] http://bradfrost.com/blog/post/dont-get-clever-with-login-fo...

tombrossman6y ago

In Firefox you can override this and re-enable pasting by toggling dom.event.clipboardevents.enabled to 'False' (in about:config).

https://developer.mozilla.org/en-US/docs/Mozilla/Preferences...

giarc6y ago

I use Bitwarden and often sites won't be set up for auto eneter of login credentials. In that case, Bitwarden provides an easy way to simply copy/paste the user/pass.

Cytobit6y ago

Sometimes using Shift+Insert instead of Ctrl+V can allow you to paste into these fields.

sonnk6y ago

I can understand if a government service requires this but it also happens with a normal, ecommerce website!

kelnage6y ago

If it's a US Federal Government service, you should point out to them that they are going against the explicit recommendation of NIST[1].

1. https://pages.nist.gov/800-63-3/sp800-63b.html#sec5, under 5.1.1.2 Memorized Secret Verifiers, 'Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret.'

1 more reply

moviuro6y ago

I really don't understand why. Please explain.

mcv6y ago

I do not understand why a government service would require this. Governments should improve security, not undermine it.

(Then again, most governments don't seem to care much about what I think they should be doing.)

1 more reply

dsfasfasfas6y ago

Well in my little corner of the US govt the web certificates are usually expired and I can't log into my work email from home.

1 more reply

mikeash6y ago· 9 in thread

“Bank has idiotic ideas about security” is as surprising as “sun rises at predicted time.” Something about the industry seems to push paranoid incompetence in security.

moviuro6y ago

Currently at a bank's security team, here's what I gathered so far that explains (but doesn't excuse) the current state of affairs:

- there are millions of customers who hate having to use their brains (or get their phone to receive a 2FA code);

- a kilometer of requirements from whatever Central Bank, local policies and ad-hoc decisions;

- (too) limited budget to build and run whatever service (cost of SMS 2FA for millions .vs. cost of some limited fraud);

- very, very bad dev education, and general disdain for security. We do have a guide for them (the "secure development handbook"), and all our code audits reveal that it wasn't followed in all places;

- outdated perception of security issues (screengrabbers are still a threat to tackle, according to some).

zzzcpan6y ago

I guess it depends on the country and the bank. My bank, for example, does mandatory 2FA for 15+ years and uses some anomaly based approach to decide how aggressively to ask for 2FA, like if you send money somewhere unusual, it does phone call 2FA, instead of an SMS, and if you just pay your usual bills from the same IP address and the same PC it doesn't even ask for 2FA at all. It also has other optional security features like white lists for IP subnets, internet-only credit cards, etc.

2 more replies

rambojazz6y ago

> screengrabbers are still a threat to tackle, according to some

I might be one of those "some". Why do you say that screengrabbers are not a threat to consider? There are hundreds of cases that I can think of where they can be a security issue.

mikeash6y ago

Thank you for sharing an inside view!

Apofis6y ago

This is unintentionally hilarious.

vxNsr6y ago

The most confusing thing is that a lot of banks (paypal included) still don't let you use "special chars" in your password. Or they will allow it but only for a very limited set that they don't tell you.

moviuro6y ago

That's not true about Paypal though: "Use lower case, upper case, a number, and a special character [like ~!@#$%^&*()_+=?><.,/]." [0]

And even if the character subset is quite small (26 lower case, 26 upper case, 10 digits), it's still good enough if it's completely random and never leaked once. Just max out the password length (start at 32 char) and back track from there.

[0] https://www.paypal.com/us/smarthelp/article/Tips-for-creatin...

2 more replies

mikeash6y ago

This one seems almost sensible to me. They probably have some ridiculous 1960s-era mainframe on the backend and it’s cheaper to keep it running than to redo it all.

1 more reply

zxcvbn40386y ago

I was super impressed to find that PayPal supports TOTP now, as the the brokerage Robinhood. Everyone else is still doing proprietary tokens, sms, or good looks for MFA. Tumblr had TOTP first but go PayPal, they get a pat on the back for doing something right.

peterwwillis6y ago· 4 in thread

Password managers are a very useful idea for general accounts, but I would not trust my financial solvency to them. If you only have one or two bank accounts, generate a long complex password, memorize it, don't save it anywhere, and use a mnemonic or other method to vary the password between the two accounts.

Even if password managers are implemented perfectly, there are various attacks that they can still fall victim to that a memorized password won't. Most password managers are not implemented perfectly.

consp6y ago

> a memorized password won't

Memorized password are usually highly insecure due to being reused and short in general. So they are usually implemented as imperfect systems for most people. What is the difference to a password manager here?

The fact you remember long passwords doesn't mean everyone does.

peterwwillis6y ago

If you're the type of person who uses no master password, and every password you would ever create is '1234', then a password manager will be a definite improvement. But if you have the ability to memorize two complex passwords, that is more secure.

My advice is solely for the person who already has a password manager, has memorized one complex password for it, and is willing to memorize another one.

kranner6y ago

Name one attack that would work against a non-cloud-based password manager like pass. Note that the encrypted passwords are stored locally and are encrypted with GPG and protected with a (hopefully) complex passphrase. If your answer depends on malware that can read the clipboard, note that the same malware can also log the keystrokes used to type the password manually.

peterwwillis6y ago

Evil maid. Cold boot. Memory parsing. Clipboard/key event hooking. Brute force. Dictionary. Autofill hijack.

You can use the first four against typed passwords, but you either need to have malware installed, or your time window has to be very short. All of these can be used against password managers even without malware, and the time window is much longer, often due to crappy password managers not properly protecting against side channels or even cleaning up old memory.

You have the same attacks as with entering a password, plus more you wouldn't have had.

1 more reply

alkonaut6y ago· 4 in thread

Is there no 2FA? Why is there a password field at all on an online banking page?

nomad0106y ago

Most transactions require an OTP to successfully complete, you also get notifications whenever a login to your account is performed.

I think it would probably be a good idea to have some sort of separate 2FA device linked at home but I doubt they'll ever implement it. You would want it separate to your phone because if your wallet and phone get stolen you can login to the online banking account and deactivate your stolen cards without having to go to the bank.

alkonaut6y ago

If the phone has a PIN or similar (I realize not everyone has) and the 2FA app has a pin/password, then that does seem like a reasonable level of security.

1 more reply

sp3326y ago

Do you mean logging in with a one-time code instead of a password? It might be more secure than a password, but it's still only one "factor".

alkonaut6y ago

No I mean a physical thing like those little number generators that banks have had for what 20 years now, or the smartphone 2FA apps that we have used for at least 15 years.

I don't enter either a regular password nor one-time password for anything (not for transactions, not for login). I only use an identifying mechanism on a second device (a smartphone or a dedicated device). The secondary device has an 8digit pin though, so if it is stolen then it's not (immediately) compromising the security.

1 more reply

marvel_boy6y ago· 4 in thread

Half of Android "password managers" are scams.

rhinoceraptor6y ago

I’d bet half of all Android apps are scams.

chopin6y ago

I bid higher...

1 more reply

viraptor6y ago

Have you got the numbers for it, and a proof that significant number of people actually use them? Searching for password manager I got to 16th entry before reaching an unknown author and ~40 positions before I reached anything really questionable. Even assuming the install numbers are not inflated, you don't get more than 10k users on the lower entries.

There are probably some scams down the list, but claiming half of them are without an explanation is just FUD.

yxhuvud6y ago

While that may or may not be true, I can quite understand why the bank would want to have some certification or something of the password manager to ensure the security. A password manager that is insecure is worse than no password manager.

izzydata6y ago· 4 in thread

Aren't password managers sacrificing security for convenience? Remembering hundreds of long unique passwords being the most secure, but too difficult. If you could remember everything then you would have an uncompromisable storage system.

Personally I use password managers for most things, but exclude them when money is involved and opt to remember those.

viraptor6y ago

> Aren't password managers sacrificing security for convenience?

It depends on what problem you're trying to solve / what's your threat model. The comparison is for realistic (imperfect) use of password manager vs what someone would do otherwise.

Nobody is likely to ever guess your bank password with online tries, so the likely scenarios are: protection from hashed credentials leak, and from another service leaking shared passwords. The tradeoff is your password manager bring possibly exploited. With the known frequency of each so far, no, it doesn't look like we're sacrificing security.

oconnor6636y ago

One of the security features that a password manager provides is retrieving passwords based on what domain you're on. They're a lot better than the human brain at making sure you don't get phished by an evil site that looks exactly like Gmail or whatever.

izzydata6y ago

I'd like to believe I know better than that, but I see your point.

ceejayoz6y ago

In a world where people have perfect, secure memories, sure.

We don't live in that world, and as such, a good password manager is the most practically secure method for the vast majority of folks.

LilBytes6y ago· 2 in thread

For any customers that do use said bank, take this as an indicator of their own security practices and consider if you still trust them with your money, data and PII.

I wonder how they share credentials without a PAM or similar. All service accounts are using 'S3cur3P@$$w0rdzSuck'... Or more probably just a 'passwordz'?

What a shocking state of affairs.

nomad0106y ago

I use said bank and they are generally pretty good. Also note they even said in the tweet that they acknowledge the role of password managers so I think you may have read a bit too much into the tweet. Almost every time I log on to their online banking site, I get a page detailing the latest scams and what to look out for.

I also agree with their statement for the most part. The general public, at least here in SA, aren't too discerning when it comes to tech matters who will probably download any random app from the play store. If you don't trust pretty much anyone with your credentials, why trust a probably unknown 3rd party with them.

I think the best idea in this case is to choose a strong password, try and remember it or write it down and store it in a safe.

fnbthrowaway6y ago

I've been meaning to leave them since they implemented this policy last year. I uninstalled their app and have been getting by using the _Don't Fuck with Paste_ extension [0].

But I do totally agree with you that if they're blocking password manager functionality then it follows that there are probably many more security practices they're similarly getting completely wrong. It's especially concerning when you think of how basic an error this is to be making.

I don't know how security policies are written at companies their size, but there are so many resources on the benefits of password managers it's hard to believe no one could google "should you disable copy pasting passwords" and then read any link from the last 10 years which will unambiguously say: No!

Another weird security issue I noticed with them last week, is that they seem to have their email template sharepoint public [1]. This could be commonplace, since you can't edit anything, but still seems weird that you would let just anyone traverse your directories.

[0] https://chrome.google.com/webstore/detail/dont-fuck-with-pas... https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi... [1] https://www.mailers.fnbweb.co.za/Campaigns/Forms/AllItems.as...

arunc6y ago· 1 in thread

American Banks are no different, they just don't tell you out loud. Here's a similar thing with Citi Bank credit card.

https://twitter.com/aruncxy/status/1163447301592891392?s=09

c17r6y ago

I have a 30 character password with upper, lower, numbers, and special characters for Citi and Bitwarden works just fine on their website. What problems are you running into?

caseysoftware6y ago

Thirty minutes ago I closed my account with Wells Fargo because of their lack of security. Last month, they called to validate my identity. I called back, they asked for my mother's maiden name.

Me: "Since that information is on Facebook, I use a big random string starting.."

Them: "That's good enough, so what we want to talk about is.."

Then when I went into the local branch, the receptionist wanted to swipe my debit card in their tablet to add me to the line. Forget that, I'm out.

zxcvbn40386y ago

Over the weekend I had to call Time Warner Cable for support. Their support representative was willing to send an e-mail verification to any address I provided - in fact she refused to send an e-mail to the address on file because she couldn’t be sure the address was valid or who she was sending too. All this when I accessed a live chat feature from within a logged in context where I had already authenticated myself.

tibbydudeza6y ago

Considering how much S.A banks charge us in service fees they can afford to give folks who uses online banking a security fob.

angry_octet6y ago

If you can only remember a few long term complex secrets, then using one slot for your bank password seems reasonable to me. The other big ones for me are: google/microsoft account, password manager, FDE passphrase.

If you use hardware 2FA and have lots of bank accounts (business, trading, etc) then using a password manager starts to make sense.

sonnk6y ago

Even this is a wrong move from the bank, I think that using password to have access to sensible service is not the safest way. Would be better if the bank can use some ID-verification service, preferably provided by the government independent company.

j / k navigate · click thread line to collapse

74 comments

53 comments · 13 top-level

mcv6y ago· 12 in thread

I feel like this is a similar red flag as the 'no single quotes in passwords' limitation that used to be common.

pwg6y ago

cik6y ago

By far the best comment in this thread. Thank you.

Any idea if that syncs as a regular profix sync?

sdinsn6y ago

Thanks, I've been wondering if something like that is possible.

moviuro6y ago

I prefer to use the autotype function of password managers (Ctrl-V on Keepass[0], and rofi-pass[1] for pass(1)); there are other issues with them though (such as "modern" login pages [2])

[0] https://keepass.info/help/base/autotype.html

[1] https://github.com/carnager/rofi-pass

[2] http://bradfrost.com/blog/post/dont-get-clever-with-login-fo...

tombrossman6y ago

In Firefox you can override this and re-enable pasting by toggling dom.event.clipboardevents.enabled to 'False' (in about:config).

https://developer.mozilla.org/en-US/docs/Mozilla/Preferences...

giarc6y ago

I use Bitwarden and often sites won't be set up for auto eneter of login credentials. In that case, Bitwarden provides an easy way to simply copy/paste the user/pass.

Cytobit6y ago

Sometimes using Shift+Insert instead of Ctrl+V can allow you to paste into these fields.

sonnk6y ago

I can understand if a government service requires this but it also happens with a normal, ecommerce website!

kelnage6y ago

If it's a US Federal Government service, you should point out to them that they are going against the explicit recommendation of NIST[1].

1. https://pages.nist.gov/800-63-3/sp800-63b.html#sec5, under 5.1.1.2 Memorized Secret Verifiers, 'Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret.'

1 more reply

moviuro6y ago

I really don't understand why. Please explain.

mcv6y ago

I do not understand why a government service would require this. Governments should improve security, not undermine it.

(Then again, most governments don't seem to care much about what I think they should be doing.)

1 more reply

dsfasfasfas6y ago

Well in my little corner of the US govt the web certificates are usually expired and I can't log into my work email from home.

1 more reply

mikeash6y ago· 9 in thread

“Bank has idiotic ideas about security” is as surprising as “sun rises at predicted time.” Something about the industry seems to push paranoid incompetence in security.

moviuro6y ago

Currently at a bank's security team, here's what I gathered so far that explains (but doesn't excuse) the current state of affairs:

- there are millions of customers who hate having to use their brains (or get their phone to receive a 2FA code);

- a kilometer of requirements from whatever Central Bank, local policies and ad-hoc decisions;

- (too) limited budget to build and run whatever service (cost of SMS 2FA for millions .vs. cost of some limited fraud);

- outdated perception of security issues (screengrabbers are still a threat to tackle, according to some).

zzzcpan6y ago

2 more replies

rambojazz6y ago

> screengrabbers are still a threat to tackle, according to some

I might be one of those "some". Why do you say that screengrabbers are not a threat to consider? There are hundreds of cases that I can think of where they can be a security issue.

mikeash6y ago

Thank you for sharing an inside view!

Apofis6y ago

This is unintentionally hilarious.

vxNsr6y ago

moviuro6y ago

That's not true about Paypal though: "Use lower case, upper case, a number, and a special character [like ~!@#$%^&*()_+=?><.,/]." [0]

[0] https://www.paypal.com/us/smarthelp/article/Tips-for-creatin...

2 more replies

mikeash6y ago

This one seems almost sensible to me. They probably have some ridiculous 1960s-era mainframe on the backend and it’s cheaper to keep it running than to redo it all.

1 more reply

zxcvbn40386y ago

peterwwillis6y ago· 4 in thread

consp6y ago

> a memorized password won't

The fact you remember long passwords doesn't mean everyone does.

peterwwillis6y ago

My advice is solely for the person who already has a password manager, has memorized one complex password for it, and is willing to memorize another one.

kranner6y ago

peterwwillis6y ago

Evil maid. Cold boot. Memory parsing. Clipboard/key event hooking. Brute force. Dictionary. Autofill hijack.

You have the same attacks as with entering a password, plus more you wouldn't have had.

1 more reply

alkonaut6y ago· 4 in thread

Is there no 2FA? Why is there a password field at all on an online banking page?

nomad0106y ago

Most transactions require an OTP to successfully complete, you also get notifications whenever a login to your account is performed.

alkonaut6y ago

If the phone has a PIN or similar (I realize not everyone has) and the 2FA app has a pin/password, then that does seem like a reasonable level of security.

1 more reply

sp3326y ago

Do you mean logging in with a one-time code instead of a password? It might be more secure than a password, but it's still only one "factor".

alkonaut6y ago

No I mean a physical thing like those little number generators that banks have had for what 20 years now, or the smartphone 2FA apps that we have used for at least 15 years.

1 more reply

marvel_boy6y ago· 4 in thread

Half of Android "password managers" are scams.

rhinoceraptor6y ago

I’d bet half of all Android apps are scams.

chopin6y ago

I bid higher...

1 more reply

viraptor6y ago

There are probably some scams down the list, but claiming half of them are without an explanation is just FUD.

yxhuvud6y ago

izzydata6y ago· 4 in thread

Personally I use password managers for most things, but exclude them when money is involved and opt to remember those.

viraptor6y ago

> Aren't password managers sacrificing security for convenience?

It depends on what problem you're trying to solve / what's your threat model. The comparison is for realistic (imperfect) use of password manager vs what someone would do otherwise.

oconnor6636y ago

izzydata6y ago

I'd like to believe I know better than that, but I see your point.

ceejayoz6y ago

In a world where people have perfect, secure memories, sure.

We don't live in that world, and as such, a good password manager is the most practically secure method for the vast majority of folks.

LilBytes6y ago· 2 in thread

For any customers that do use said bank, take this as an indicator of their own security practices and consider if you still trust them with your money, data and PII.

I wonder how they share credentials without a PAM or similar. All service accounts are using 'S3cur3P@$$w0rdzSuck'... Or more probably just a 'passwordz'?

What a shocking state of affairs.

nomad0106y ago

I think the best idea in this case is to choose a strong password, try and remember it or write it down and store it in a safe.

fnbthrowaway6y ago

I've been meaning to leave them since they implemented this policy last year. I uninstalled their app and have been getting by using the _Don't Fuck with Paste_ extension [0].

[0] https://chrome.google.com/webstore/detail/dont-fuck-with-pas... https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-wi... [1] https://www.mailers.fnbweb.co.za/Campaigns/Forms/AllItems.as...

arunc6y ago· 1 in thread

American Banks are no different, they just don't tell you out loud. Here's a similar thing with Citi Bank credit card.

https://twitter.com/aruncxy/status/1163447301592891392?s=09

c17r6y ago

I have a 30 character password with upper, lower, numbers, and special characters for Citi and Bitwarden works just fine on their website. What problems are you running into?

caseysoftware6y ago

Thirty minutes ago I closed my account with Wells Fargo because of their lack of security. Last month, they called to validate my identity. I called back, they asked for my mother's maiden name.

Me: "Since that information is on Facebook, I use a big random string starting.."

Them: "That's good enough, so what we want to talk about is.."

Then when I went into the local branch, the receptionist wanted to swipe my debit card in their tablet to add me to the line. Forget that, I'm out.

zxcvbn40386y ago

tibbydudeza6y ago

Considering how much S.A banks charge us in service fees they can afford to give folks who uses online banking a security fob.

angry_octet6y ago

If you use hardware 2FA and have lots of bank accounts (business, trading, etc) then using a password manager starts to make sense.

sonnk6y ago

j / k navigate · click thread line to collapse