I’ve been a happy customer of First Direct since a month or so after they opened, almost twenty-five years ago.
One of the things I really liked about them was that they hadn’t followed other banks down the route of insisting that you carried a new code-generating dongle around so that you can log into their online banking. But, of course, it was only a matter of time before that changed.
A couple of weeks ago I got a message from them telling me that Secure Key was on its way. And yesterday when I logged on to my account I was prompted to choose the flavour of secure key that I wanted to use. To be fair to them they have chosen a particularly non-intrusive implementation. Each customer gets three options:
- The traditional small dongle to carry around with you
- An extension to their smartphone app
- No secure key at all
If you choose the final option then you only get restricted (basically read-only) access to your account through their web site. And if you choose one of the first two options, you can always log on without the secure key and get the same restricted access.
I chose the smartphone option. I already use their Android app and I pretty much always have my phone with me.
Usually when you log on to First Direct’s online banking you’re asked for three random characters from your password. Under the new system, that changes. I now need to log on to my smartphone app and that will give me a code to input into the web site. But to get into the smartphone app, I don’t use the old three character login. No, I needed to set up a new Digital Secure Password – which I can use for all of my interactions in this brave new world.
And that’s where I think First Direct have slipped up a bit.
When they asked my for my new password, they told me that it needed to be between 6 and 10 characters long.
Those of you with any knowledge of computer security will understand why that worries me. For those who don’t, here’s a brief explanation.
Somewhere in First Direct’s systems is a database that stores details of their customers. There will be a table containing users which has a row of data for each person who logs in to the service. That row will contain information like the users name, login name, email address and (crucially) password. So when someone tries to log in the system find the right row of data (based on the login name) and compares the password in that row with the password that has been entered on the login screen. If the two match then the person is let into the system.
Whenever you have a database table, you have to worry about what would happen if someone managed to get hold of the contents of that table. Clearly it would be a disaster if someone got hold of this table of user data – as they would then have access to the usernames and passwords of all of the bank’s users.
So, to prevent this being a problem, most rational database administrators will encrypt any passwords stored in database tables. And they will encrypt them in such a way that it is impossible (ok, that’s overstating the case a bit – but certainly really really difficult) to decrypt the data to get the passwords back. They will probably use something called a “one-way hash” to do this (if you’re wondering how you check a password when it’s encrypted like this then I explain that here).
And these one-way hashes have an interesting property. No matter how long the input string is, the hashed value you get out at the other end is the same length. For example, if you’re using a hashing algorithm called MD5, every hash you get out will be thirty-two characters long.
Therefore, if you’re using a hashing algorithm to protect your users’ passwords, it doesn’t matter how long the password is. Because the hashed version will always be the same length. You should therefore encourage your users to make their passwords as long as they want. You shouldn’t be imposing artificial length restrictions on them.
And that’s why people who know about computer security will have all shared my concerns when I said that First Direct imposed a length restriction on these new passwords. The most common reason for a maximum length on a password is that the company is storing passwords as plain text in the database. With all the attendant problems that will cause if someone gets hold of the data.
I’m not saying for sure that First Direct are doing that. I’m just saying that it’s a possibility and one that is very worrying. If that’s not the case I’d like to know what other reason they have for limiting the password’s length like this.
I’ve send them a message asking for clarification. I’ll update this post with any response that I get.
Update (17 July): I got a reply from First Direct. This is what they said.
Thank you for your message dated 16-Jul-2014 regarding the security of your password for your Digital Secure Key.
Ensuring the security of our systems is, and will continue to be, our number one priority.
All the details that are sent to and from the system are encrypted using high encryption levels. As long as you keep your password secret, we can assure you that the system is secure. As you will appreciate, we cannot provide further details about the security measures used by Internet Banking, as we must protect the integrity of the system.
Our customers also have a responsibility to ensure that they protect their computers by following our common-sense recommendations. Further information can be found by selecting ‘security’ from the bottom menu on our website, www.firstdirect.com
Please let us know if you have any further questions, and we’ll be happy to discuss.
Which isn’t very helpful and doesn’t address my question. I’ve tried explaining it to them again.
@firstdirecthelp Here’s my blog post explaining the problem – http://t.co/7V5Cj0SlSk Would be good to get a response from FD. Thanks.
Why @first_direct’s new password policy worries me – http://t.co/7V5Cj0SlSk
New writing: davblog: First Direct Passwords: I’ve been a happy customer of First Direct since a month or so a… http://t.co/uOBpGccDBN
Updated my blog post about @first_direct passwords with their response – http://t.co/7V5Cj0SlSk
RT @davorg: Updated my blog post about @first_direct passwords with their response – http://t.co/7V5Cj0SlSk