# BMO online banking requires weak passwords



## pwm (Jan 19, 2012)

I've been taking the time to make my passwords stronger at all of my critical websites, especially banking sites. I use Keypass as my password manager and I use it to generate passwords that are 20 characters long with numbers, upper and lower case letters, and special characters. I also change them on a regular basis. I have accounts at 3 online brokerages as well as a Credit Union where I have a HISA. They all encourage and support long passwords. The exception is BMO which for some unfathomable reason actually REQUIRES a pathetically weak password! It must be 6 characters long and CANNOT contain numbers or special characters. I complained and they responded with a list of all the safety precautions they take to ensure security and to change the password regularly and never share it etc etc. 

With all the ongoing fuss about security breaches at online websites and all the articles one reads about creating strong passwords, I'm dumbfounded at BMO's password policy. 

Comments?


----------



## fatcat (Nov 11, 2009)

i use 1password and i think my bank password is 30 characters of goobledegook
i agree, i hate it when banks/brokers do this
though, i know they have backup procedures
do they have the memorable image and / or memorable phrase ?
that adds complexity


----------



## pwm (Jan 19, 2012)

Yes, BMO has the memorable image and questions as well as Trusteer Rapport, but I would like to see the password requirements improved to allow stronger passwords.


----------



## jj12345 (Jun 24, 2009)

pwm said:


> Yes, BMO has the memorable image and questions as well as Trusteer Rapport, but I would like to see the password requirements improved to allow stronger passwords.


I agree. Banking should have the most security of all sites, you'd think. This reminds me of thesource.ca. I stopped shopping there, when I forgot my password, clicked the "forgot password" link and had my password emailed to me. Obviously, they are not hashing passwords. That is extremely concerning.


----------



## swoop_ds (Mar 2, 2010)

Sounds like BMOs password system is pretty archaic. But I hate it more when a site dictates to me what type of password I must have or that it needs to be changed often. My college password was like this. Had to have all kinds of special characters, upper/lower case, etc and needed to be changed every 3 months. It also couldn't be at all similar to any iteration of a password I had for the last two years... I'm sorry but my marks are not that important. If someone wants to know what I got on an hydraulics exam and hacks my password, good for them.

I feel this way for all sites. If someone wants to actively manage their passwords, that's great. Forcing me to do so makes me want to find somewhere else to go.


----------



## 0xCC (Jan 5, 2012)

26 choose 6 is only 230,230. 52 choose 6 (if you allow for capitals) is 20,358,520. It does not take too long to brute force 20 million combinations. Of course, an attacker would likely be locked out of attempting various passwords after making less than 10 attempts (probably only 3-4 incorrect attempts will lock out any further attempts without making a phone call).


----------



## swoop_ds (Mar 2, 2010)

So basically, guessing a password of 26 choose 6 in 4-10 attempts is virtually impossible.

I've also noticed that many sites will not let your through if you attempt to access them from a 'strange place'. I'm not sure if BMO does this, I kinda doubt it if they have a 6 character limit.


----------



## m3s (Apr 3, 2010)

I use 2 factor authentication for Google, Facebook, Apple, Interactive Brokers, and others. This involves setting up trusted devices, which also prevents your accounts being locked if you travel (a lot) Most of these also let me see when any device has logged in from what IP. I'm surprised that Canadian banks are so far behind in security. With the power of cloud computing today.. a longer password with special characters is peanuts compared to 2 factor authentication such as Google's authenticator app. Also, a longer password doesn't stop someone from cracking your "security questions".. which are typically easier to crack than your password nowadays.. Rather than a longer password, 2 factor authentication should be used to replace all those out dated "security questions"


----------



## atrp2biz (Sep 22, 2010)

0xCC said:


> 26 choose 6 is only 230,230. 52 choose 6 (if you allow for capitals) is 20,358,520. It does not take too long to brute force 20 million combinations. Of course, an attacker would likely be locked out of attempting various passwords after making less than 10 attempts (probably only 3-4 incorrect attempts will lock out any further attempts without making a phone call).


It's a lot more than that. It's a permutation--not a combination.


----------



## 0xCC (Jan 5, 2012)

atrp2biz said:


> It's a lot more than that. It's a permutation--not a combination.


Yeah, I was wondering about that after I posted. Order matters. So is it 20,358,520 factorial then?

In any case, as swoop_ds points out since the account will be locked out after probably a low number of wrong password attempts it doesn't really matter if it is 200k or 20M or even higher than that number of permutations.


----------



## rsyl (Aug 15, 2014)

TD and Scotiabank aren't much better. You can't use capitals.. that is you can but the password is not case-sensitive!



> Please enter your new password below.
> Passwords are not case sensitive and can't include special characters (e.g., #, %, etc.). Passwords must be 8-16 characters long and contain at least one number and letter.


----------



## fatcat (Nov 11, 2009)

this is a fun little password strength testing tool: https://www.grc.com/haystack.htm
it is amazing what an additional character can do to a password


----------



## Retired Peasant (Apr 22, 2013)

I find financial sites to have weak conditions on passwords.

However it's a misconception that a bunch of jumbled characters/symbols is stronger than a simple phrase of words (with spaces).

Check out
http://blog.webernetz.net/2013/07/30/password-strengthentropy-characters-vs-words/

and test a password (not your real one, but samples) at
https://howsecureismypassword.net/


----------



## nobleea (Oct 11, 2013)

I always thought most passwords were stolen, not cracked. As in spyware recorded the password. I assume that's why changing it often is more important than making it convoluted.
PINs on cc and debit cards are stolen, not cracked.


----------



## bgc_fan (Apr 5, 2009)

Well HSBC provides a little fob that generates one time PINs for login; in addition to your password login. I would consider that as equivalent to a two factor authentication.


----------



## peterk (May 16, 2010)

BMO until only recently didn't require you to enter your debit pin at a human teller. I could literally walk into any branch (not just my home branch) with only a bank card and withdraw cash without needing to provide a pin, password, or ID.


----------



## fatcat (Nov 11, 2009)

peterk said:


> BMO until only recently didn't require you to enter your debit pin at a human teller. I could literally walk into any branch (not just my home branch) with only a bank card and withdraw cash without needing to provide a pin, password, or ID.


right, human error and social engineering worry me as much as password cracking


----------

