Can somebody solve this puzzle?

Matriks404 , 37 minutes ago

Your Internet Banking Password should one special character (~!@#%^&*)

Great grammar on their part.

addie , 3 hours ago

Well now. When we’ve been enforcing password requirements at work, we’ve had to enforce a bizarre combination of “you must have a certain level of complexity”, but also, “you must be slightly vague about what the requirements actually are, because otherwise it lets an attacker tune a dictionary attack against you”. Which just strikes me as a way to piss off our users, but security team say it’s a requirement, therefore, it’s a requirement, no arguing.

“One” special character is crazy; I’d have guessed that was a catch-all for the other strange password requirements:

• can’t have the same character more than twice in a row
• can’t be one of the ten-thousand most popular passwords (which is mostly a big list of swears in russian)
• all whitespace must be condensed into a single character before checking against the other rules

We’ve had customers’ own security teams asking us if we can enforce “no right click” / “no autocomplete” to stop their users in-house doing such things; I’ve been trying to push back on that as a security misfeature, but you can’t question the cult thinking.

Wizard_Pope , 47 minutes ago

Why do they think no copy paste is safer?

xmunk , 5 hours ago

It’s fucking insane that an internet banking portal has such a low cap on max characters and such shitty rule enforcement.

stoy , 5 hours ago

It is insane that any internet banking portal still uses a static password.

Successful_Try543 , 5 hours ago (edited 3 hours ago)

At least it should not, in many countries must not, be the only measure.
I once encountered an OR in the requirements: Capital letters, small letters and digits OR special characters.

morrowind , 5 hours ago

wdym? What’s a dynamic password?

rtxn , 5 hours ago

Time-based one-time passwords. It’s been used for years for multi-factor authentication.

en.wikipedia.org/…/Time-based_one-time_password

morrowind , 4 hours ago

Yeah, multi factor, that means you still have a regular password as well as the totp.

xmunk , 5 hours ago

A rotating code key - a lot of banks these days will give you a fob to enter a rotating proof of ownership off of along with your password.

stoy , 4 hours ago

A token?

ech , 5 hours ago

They can’t even properly check their copy on critical infrastructure. Top notch work over there, top to bottom.

kirk781 , 5 hours ago

Some internet banking sites give access after only asking for login password. They will only ask for transaction password and OTP (that will only come on phone) later on. Asking for two passwords isn’t necessarily more secure since many people will just reuse their original one again. And OTP instead of offering something like hardware security key is insane.

IsoKiero , 4 hours ago

My bank uses 6 digit ‘customer number’ (which is set by the bank) and that’s verified with an app and a personal PIN (app shows ‘login attempt ABCD at mm.dd. hh:mm’ where ABCD is shown on login page too) or via SMS OTP (again with ‘ABCD’ verification). And again with personal pin + app or OTP to confirm transactions. The app itself can be protected with a fingerprint or phone pin and every new installation needs to be registered to the system, so I can’t just use my phone app to access my wifes account (or anyone elses) but I still can map multiple accounts (like corporate ones) to the same installation.

I think that’s pretty reasonable approach.

Appoxo , 3 hours ago

Reason why I took a hardware tan generator versus using the OTP function of one of their other apps.
Thanks but no, I will use the old crusty method as I know how easy that’s hacked.

stealth_cookies , 5 hours ago

My bank’s password used to have to be exactly 6 characters, no special characters and you could use numbers and letters interchangeably because it was also your phone banking password.

hushable , 3 hours ago

a previous bank used to have a max password length of 8 characters, then proudly announced that they will increase it to 32

Then I made a typo at the end of my password and it let me in anyway, and I realised they were just trimming the first 8 characters to give the illusion of security

Wizard_Pope , 51 minutes ago

That is so insane. To think they would rather just clip the passwords instead of habing it be longer.

Did you try out your hypothesis by using the first 8 letters than just random junk until you hit your password length?

sorter_plainview OP , 5 hours ago

Their desktop site is even more shitty. It won’t allow right click or paste actions. There goes compatibility with password managers.

superkret , 4 hours ago

Bitwarden has a function where it types in (not pastes) the password and shows the prompt for it without right-click.

Appoxo , 3 hours ago

And even if theres an app for Windows (github.com/jlaundry/TypeClipboard) that can type it for you and even has a shortcut.
I am sure someone in the linux world knows an equivalent tool.
We use it at work to paste long passwords when remoting in.

xmunk , 4 hours ago

As a super secret dev hack may I introduce you to shift + insert a fair few sites specifically block ctrl + v instead of properly disabling the clipboard action and, of course, if you read this and then submit a Jira ticket to block shift + insert… well… h8u

sorter_plainview OP , 4 hours ago

Aah… I completely forgot about that. Will try next time. Also yesterday I saw Shift + F10 will show the context menu. Yet to test it on this site.

independantiste , 4 hours ago

I usually to in the developer tools and manually disable the thing preventing the paste action. It’s usually a string to remove some JS or something or an Event that you need to uncheck

xmunk , 4 hours ago

If you’re opening up the dev tools you can also paste your string directly into <input value=“” /> unless something weird is going on.

KairuByte , 4 hours ago

Laughs in blazor

LuycYQ2uUiTjR3yLri , 4 hours ago

You can also drag the password in from another text field instead of pasting

Creat , 1 hour ago

Any password manager should be able to “type in” the password. Or be a browser plugin that doesn’t rely on copy pasting, but use other mechanisms to inject it directly into the field.

But yes, if that’s their online portal, I am not kidding I would change banks.

FiskFisk33 , 4 hours ago

seriously, I’ve never seen a bank with password login to begin with. Every bank i know of uses physical devices that you type a code into

WalrusDragonOnABike , 4 hours ago

Never heard of this. Where is this at? :o

FiskFisk33 , 4 hours ago

Sweden. The little keyfob thingies have been the thing for many decades here, I would guess ever since the dawn of internet banking, but I’d have to ask my parents instead of just assuming. I used to assume that was just normal for banks in the world at large. When you want to log in, the website gives you a code, you type the code into the fob and it responds with another code you type in to the website.

Nowadays they additionally offer login via BankID, a mobile app used throughout Sweden for personal online identification.

WalrusDragonOnABike , 4 hours ago

OTP for 2FA has just started becoming common here (US) within the last decade I think. Each bank has its own separate app and many banks seem to limit password lengths to less than other websites.

Successful_Try543 , 3 hours ago (edited 3 hours ago)

As a German, when living in Sweden, I was (and still am) very impressed, how widespread the use of (Mobile) Bank ID, beside the use of the personal ID number (As a male German, the state has assigned me at least three different ones without requiring any interaction.) for basically everything, is.

In Germany, before introducing a second electronic way of authentication for online (or phone) banking, it was done by a chosen password and a TAN (transaction number) from a list that you regularly got sent by mail in a special envelope. Later it was replaced by that “thingy”, a mobile TAN generator, or push TAN via SMS.

trolololol , 1 hour ago

OMG the special envelope seems to make it specially easier for people to steal just the right mail

Successful_Try543 , 1 hour ago

It was not special from the outside, but from the inside. It was either the envelope or the TAN list that was printed with a special pattern to prevent reading the list by using a flashlight.

Wizard_Pope , 49 minutes ago

I want this so bad now.

Flipper , 2 hours ago

The ERP software I have to use has a strict limit of 6 characters as password. Only alphabet and numbers allowed.

Maybe when I leave I try an SQL injection.

oo1 , 1 hour ago

If >1 special character is not allowed the last check should be failed . The second check is literally satisfied even if there are 2+ specials.

I’d not be using that bank.

Successful_Try543 , 5 hours ago

It says one special character, not at least one. Maybe the password has more than one.

kionite231 , 5 hours ago

You solved the puzzle! here is a cookie for you :D 🍪

Successful_Try543 , 4 hours ago

Yay!

sorter_plainview OP , 5 hours ago

Holy shit!! You did it. I would never expect a banking password to max special characters. I have been scratching my head with Bitwarden and this shitty app for an hour.

FederatedSaint , 4 hours ago

But wouldn’t that mean the bottom checkbox should be cleared and the 2nd one should be checked?

Still doesn’t make sense.

Panda , 4 hours ago

Yes, the 2nd one implies that there should be more than one.

sorter_plainview OP , 4 hours ago

Yeah that’s true. The UI does not accurately represent the validation conditions.

independantiste , 4 hours ago

And the wording is fucking terrible as well

superkret , 4 hours ago

It’s like a Captcha that only lets in autistic people.

tooLikeTheNope , 1 hour ago

Yeah but It still states “A combination of letters, digits and special charaters”

It should then be spelled as “A combination of letters digits, and one special character”

brbposting , 2 hours ago

Good catch.

Also psh, there’s no verb, suggesting the password should be exactly one special character and nothing else.

corsicanguppy , 3 hours ago

Please tell me someone didn’t buy software with ‘atleast’ spelled like that in there. Please, tell me someone tested the web app and had the brains God gave a douglas fir and knew that wasn’t a word; that it was never a word; that the writer’s spell check should have picked that up; that it’s not been over-ruled by stupid so much that it just takes it.

tofubl , 4 hours ago

the password game irl

__init__ , 4 hours ago

If you have to try really hard to meet their password requirements, that’s how you know it’s super secure.

Angry_Autist , 4 hours ago

You are using a special character that is likely reserved internally

superkret , 4 hours ago

It says “one special character”. Not “at least one”.

oh. oh god. what the fuck.

FuglyDuck , 5 hours ago

My guess is they mean, one capital letter, one lower case letter, a number, and a special character

what’s always amused me about these rules is that they exist because people are dumb. Technically, they lower the difficulty of the passwords slightly. ( for example, knowning that one character is a number reduces it to 10 options in stead of 10+26+26+whatever set of special characters)

anyhow. people should use password managers. just saying.