1020
Why don't banks like root on Android?
(lemmy.world)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 04 Apr 2024
1020 points (98.8% liked)
linuxmemes
24252 readers
822 users here now
Hint: :q!
Sister communities:
Community rules (click to expand)
1. Follow the site-wide rules
- Instance-wide TOS: https://legal.lemmy.world/tos/
- Lemmy code of conduct: https://join-lemmy.org/docs/code_of_conduct.html
2. Be civil
- Understand the difference between a joke and an insult.
- Do not harrass or attack users for any reason. This includes using blanket terms, like "every user of thing".
- Don't get baited into back-and-forth insults. We are not animals.
- Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
- Bigotry will not be tolerated.
3. Post Linux-related content
- Including Unix and BSD.
- Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of
sudoin Windows. - No porn, no politics, no trolling or ragebaiting.
4. No recent reposts
- Everybody uses Arch btw, can't quit Vim, <loves/tolerates/hates> systemd, and wants to interject for a moment. You can stop now.
5. 🇬🇧 Language/язык/Sprache
- This is primarily an English-speaking community. 🇬🇧🇦🇺🇺🇸
- Comments written in other languages are allowed.
- The substance of a post should be comprehensible for people who only speak English.
- Titles and post bodies written in other languages will be allowed, but only as long as the above rule is observed.
6. (NEW!) Regarding public figures
We all have our opinions, and certain public figures can be divisive. Keep in mind that this is a community for memes and light-hearted fun, not for airing grievances or leveling accusations. - Keep discussions polite and free of disparagement.
- We are never in possession of all of the facts. Defamatory comments will not be tolerated.
- Discussions that get too heated will be locked and offending comments removed.
Please report posts and comments that break these rules!
Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't remove France.
founded 2 years ago
MODERATORS
Because as per usual they don't understand security. I have started choosing my bank based on software they have. If software looks competent, that's my most significant influence.
They think rooted device = insecure device, but at the same time PC is even less secure and yet all the business users use them and more to the point have passwords written on a sticky note glued to the screen. My old bank at one point "upgraded" their software system and then started asking me for weird characters in password and then asked for maximum length which was the final sin I allowed them to commit. Left them that week.
My bank keeps their app up to date with all the latest anti-root stuff but allows passwords made of 5 digits. ¯\_(ツ)_/¯
Unless they've changed it very recently, Paypal still limits your password to 20 characters
Unless they’ve changed it very recently, Wells Fargo’s passwords are case insensitive
Air Canada's online account system required a 6 character password, which was secretly converted via T9 to 6 numbers on the back end, meaning "aaaaaa" and "bbbbbb" were effectively the same password, and this was only fixed in 2018
That sounds like someone who topped out with highschool level programming tried to implement a hash algorithm.
My personal theory is that it's a remnant of an old system that was only accessible by phone (hence the 6 digit pin), and they simply grafted an online component on top of it
Any service that limits maximum length of the password means they are not hashing them. Which is a scary proposition, especially for such a huge service.
That's normally my assumption too but surely PayPal has proper security, right? Right??
It's possible that limit is either gone or vestige from a bygone age and they are hashing passwords properly now. Either way they do seem like they take security seriously.
Ah, that's the "your problem" approach to security.
I mean, you're comparing very different scenarios.
If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.
If someone has access to your sticky note they have all your accounts.
I don't think I'd call either of them better.
Of course, all this assumes no second auth factor.
If someone has access to your sticky note they're already in your house, and that's a bigger issue IMO... even from an itsec perspective, once the attacker has physical access to guarantee safety is difficult.
But seriously, there's a guy in your house.
My house is not a prison... yes, other people come over. There's the occasional party, handymen doing work, neighbors, parents of kids from school, kids sleeping over, and so on. It doesn't have to be the ninjas breaking in.
If you don't casually keep wads of cash in the open around the house you probably shouldn't have logins on a post-it either. But to be fair the kind of person that does the latter does the former too.
If I know they are there then I either supervise visitors or trust them to not rummage/take my stuff. If that is your issue then keep your postit in a drawer; most people don't keep their yubikeys in a securely bolted safe either.
Just shift the password descriptions a few spots compared to the passwords, then you'll get email about failed logins as a canary.