Hacker News new | past | comments | ask | show | jobs | submit login

Lax security by banks is certainly nothing new, nor unique to Canada. I've always wondered about sites that do not allow "special" characters. What could they possibly be doing to not allow that other than storing passwords in plain-text? After all, any secure crypto hash (and even regular hashing algorithms) will not care about special characters in the source content. I suppose it could be any number of components between the user and storage, yet I can't think of any system off the top of my head that's that shoddy.



Writing new software is easy. Maintaining large, existing codebases for mission-critical software is hard. Banks were early adopters; there's fifty year old code that does some things extremely well, but also sometimes results in user-facing quirks like oddly limited password fields.


Good point. Assuming that the offending code is the actual password storage rather than an intermediary subsystem, one can safely make the assumption that such password storage is insecure. Which isn't much of a revelation, considering the article.


Maybe true, but I've learned not to make assumptions about how large & complex systems work based only on the little piece I can see from the outside.


For Canada specifically, they might be worried about people creating a password using a Canadian English+French keyboard (which has a good few accented characters etc.), then trying to type it in on an American English keyboard, and finding those characters unavailable. (Both keyboard types are commonplace here.)


Should never have to give out your password over the phone, but for security questions the reason why its often alphanumeric is you will have people entering security questions like "how much did your first car cost" and they enter something in pounds sterling and pence which the Philippines call center phone script reader who deals in dollars all day isn't going to be able to interpret.

Or "what street name did you grow up on" could include some UTF-8 glyphs from Asian immigrants.


I have a Canadian bank account which requires [0-9] for your password, but it is only enforced in Javascript. If you disable Javascript, you can use any password you want. At least in their case, it is not a technical limitation.


Mainframes are the usual culprit. I've worked on them, and its an interesting experience. Such as running programs that are 30-40 years old and the customer doesn't have the original source code anymore. I enjoyed COBOL, but the condition of old stuff poorly maintained is frustrating.


Just a guess, but it could be that phone based banking is the reason. You can't enter (most) special characters on the phone.


if i'm not mistaken, there's a separate phone PIN for this reason.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: