Earlier in the week I talked about my concerns with First Direct’s new password policy. I got an email from them about this, but it really wasn’t very reassuring.
But I kept digging. And on Thursday I got a bit more information from “^GD” on the @firstdirecthelp twitter account. It still doesn’t answer all of my questions, but I think we’re a lot closer to the truth. Here’s what I was told.
@davorg Hi Dave, I can confirm that the password is encrypted. Security and safety will always be a priority for first direct. ^GD
— first direct help (@firstdirecthelp) July 17, 2014
The obvious question that this raises is why, then, do they limit the length of the passwords. I asked and got this (three-tweet) reply.
@davorg Hi Dave, it was a business decision to have the password length limited to a maximum of 10 characters. (1/3)^GD
— first direct help (@firstdirecthelp) July 17, 2014
@davorg Due to the restrictions within the app the risk from having a short password is minimal. (2/3)^GD
— first direct help (@firstdirecthelp) July 17, 2014
@davorg We always advise that the password chosen for the Digital Secure Key is unique.(3/3)^GD
— first direct help (@firstdirecthelp) July 17, 2014
To which, I replied
@firstdirecthelp Thanks for the reply. But you're aware (I assume) that this goes against current security best practice recommendations.
— Dave Cross (@davorg) July 17, 2014
And got the response
@davorg You're welcome, I will certainly pass your comments on to the development team.(1/2)^GD
— first direct help (@firstdirecthelp) July 17, 2014
@davorg As a business we are satisfied with the levels of security that we have in place. (2/2)^GD
— first direct help (@firstdirecthelp) July 17, 2014
I thought that “as a business we are satisfied” rather missed the point. And told them so.
@firstdirecthelp Sure, but (importantly) it's not just about the business being satisfied. You also need to convince your customers [1/2]
— Dave Cross (@davorg) July 17, 2014
@firstdirecthelp And some of those customers will be experts in computer security who will know about best practice. [2/2]
— Dave Cross (@davorg) July 17, 2014
I got no response to that. And @brunns got no response when he tried to push them for more details about how the passwords are stored.
@firstdirecthelp @davorg Encrypted, or hashed?
— Simon Brunning (@brunns) July 17, 2014
So, to summarise what we know.
- First Direct say they store the passwords “encrypted”, but it’s unclear exactly what that means
- It was a business decision to limit the length of the passwords, but we don’t know why that was considered a good idea
- It still appears that First Direct believe that security by obscurity is an important part of their security policy
I haven ‘t really been reassured by this interaction with First Direct. I felt that the first customer support agent I talked to tried to fob me off with glib truisms, but “^GD” tried to actually get answers to my questions – although his obvious lack of knowledge in this area meant that I didn’t really get the detailed answers that I wanted.
I’m not sure that there’s anything to be achieved by pushing this any further.
New writing: davblog: First Direct Update: Earlier in the week I talked about my concerns with First Direct’s … http://t.co/OAryyJFdib
not being an expert in this area, the bit that would concern me is the last replay they gave, that they’re satisfied with the level of security.
“Satisfied” = “meh, that’ll do. Fancy a pint?”
Possible hypothesis: I could imagine it being a business decision whereby they’ve found that passwords over 10 characters means much more frequent support calls.