Lloyds TSB changed the password of
computer consultant Steve Jetley from Shrewsbury after he had logged it as
"Lloyds is pants". BBC News reported that the bank also
stopped him changing his password to "Barclays is better". Apparently
Jetley discovered that "Lloyds is pants" had been changed only when
he tried to use the bank's telephone service and found his password had become
"No it's not". It is good to see that Lloyds TSB takes our password
security so seriously. Perhaps Jetley should try "Leave my f**king
password alone".
Comments (1)
This story just highlights how most web sites (not just Lloyds) handle passwords. If they can send your password back to you when requested (and even worse, in a clear text email)then someone/something other than you has access to that password. Have a think, just what is that password protecting? Maybe we should always ask how the password is held on the system. The normal practice is via a one-way hash so it cannot be reversed engineered and nobody but you knows it. If you then loose your password they must send you a new expired one (after some challenge and response criteria success) which has to be changed on first use. I can see some repudiation cases being upheld in the distant future. In this case Steve Jetley might just be right as Barclays use PINSentry which effectively gives you a OTP (one time password).
Posted by Jeff Davis | September 5, 2008 11:44 AM
Posted on September 5, 2008 11:44