On Tue 17 Dec 2024 at 13:44:22 (-0600), John Hasler wrote: > Peter Hillier-Brook writes: > > the nonsense about about not changing them ignores the obvious. > > What is that? > > > My bank performs security checks by requesting a sub-set of my > > password. It doesn't take a genius to work out that after > > several visits the complete password can be deduced.
> Sounds like a reason to find a new bank, in the meantime changing your > password after every such request. Surely they can't be hashing the > passwords properly if that practice is of any use. I don't know which bank this is meant to be, nor whether "visit" includes visiting a branch in person (which seems unlikely). But I will point out that for Lloyds Bank at least, the subset requested is of your "memorable information", not your password. This challenge comes only /after/ the username and password have been correctly entered, and is followed by yet another factor, a random code number delivered by a phone call. As you have to select the subset from some listboxes with a mouse, I would guess that the step is designed to defeat key-logging. Cheers, David.
