# CRA website is the most insecure I've ever dealt with



## dotnet_nerd (Jul 1, 2009)

Kind of ironic given how hyper paranoid CRA is about security.

It is *impossible* for me to log out. I always get this cryptic error message:

"Internal Error occurred while trying to process the request. Transaction ID: 362g4ad8-3f25b173-5baf6f8b-faf9bf53-2349507a-ba failed."

So, if I happened to be on a public PC I would have no way of preventing someone else from viewing my account after me.

And why don't they allow non-alphanumeric characters [email protected]#$%^&*()- etc for passwords? This significantly weakens password strengths and makes dictionary attacks exponentially easier.

What, are they afraid of SQL injection attacks? Sure, valid point - if you're using a 1990's PHP version or something. But last I checked we're in the 21st century now.
ALLOW STRONG PASSWORDS please and thank you

And if your logout button actually worked I'd be a bit happier.


----------



## rsyl (Aug 15, 2014)

You could always log in using a partner (Bank)

Although the security on bank websites are even worse (not cases sensitive at least with Scotia and TD)

As for logging out, it will time out eventually, and I believe once the connection is lost it logs out as well.


----------



## cainvest (May 1, 2013)

Strong passwords are always a nice option but logging in to access sensitive financial info on a public PC is a huge no-no in my books.


----------



## dotnet_nerd (Jul 1, 2009)

rsyl said:


> You could always log in using a partner (Bank)
> 
> Although the security on bank websites are even worse (not cases sensitive at least with Scotia and TD)
> 
> As for logging out, it will time out eventually, and I believe once the connection is lost it logs out as well.


I wasn't referring to the payment side of things. Just the CRA site where you can manage your returns, balances etc.


----------



## Spudd (Oct 11, 2011)

dotnet_nerd said:


> I wasn't referring to the payment side of things. Just the CRA site where you can manage your returns, balances etc.


You can log into that side of things using your bank's login. CRA should offer "use a sign-in partner" and that will redirect you to your bank where you can log in, then they redirect you back to CRA once complete.


----------



## pwm (Jan 19, 2012)

Spudd: That's true if you happen to use one of the banks in the limited list of 9:

View attachment 9538


----------



## Retired Peasant (Apr 22, 2013)

dotnet_nerd said:


> So, if I happened to be on a public PC


That wouldn't be a good idea in the first place.



> And why don't they allow non-alphanumeric characters [email protected]#$%^&*()- etc for passwords? This significantly weakens password strengths and makes dictionary attacks exponentially easier.


A password of random characters is much weaker than a pass phrase of random words.
https://xkcd.com/936/

You can test out effectiveness of various password typess at https://howsecureismypassword.net/


----------



## 319905 (Mar 7, 2016)

dotnet_nerd said:


> ... It is *impossible* for me to log out ... And if your logout button actually worked I'd be a bit happier.


So having nothing better to do (just cooling off after a workout) thought I'd try it ... the logout button works just fine for me using both Chrome and IE (thought maybe a compatibility view setting might be required).


----------



## LBCfan (Jan 13, 2011)

dotnet_nerd said:


> And why don't they allow non-alphanumeric characters [email protected]#$%^&*()- etc for passwords?


They are saving such phrases for your comments after seeing your Notice of Assessment".


----------



## 319905 (Mar 7, 2016)

^ Absolutely ...  ... and even with the "Your password must contain between 8 and 16 characters, one upper-case letter, one lower-case letter, one digit ... " (there's a few additional special characters that can be used and a requirement some no repeats) that's _about_ 26+26+10 per password character which is _about_ 62^8 possible passwords ... and then there's the I'm just guessing 3 tries and you're out ... good enough I'd say.


----------

