Hacker News new | past | comments | ask | show | jobs | submit login

you mean like only allowing 6-digit passwords without symbols?



Six-digit passwords are fairly secure when combined with strict limits on the number of attempts allowed, how much money can be withdrawn in one day, and heuristic fraud detection.


But is there any good reason to forbid users from choosing longer, more secure passwords while still limiting the number of attempts and doing heuristic fraud detection? You know, other than that sixty year old legacy system that stores your passwords in clear text and doesn't support any other format than six digits?


Card terminals only have numbers. Not planning to ship them with a full keyboard. That's a good reason to only take numbers.


Not to mention that Indo-Arabic digits are almost universal, other characters are not. Picture a chinese or armenian with a password that uses characters from their respective alphabets trying to type it on each other's ATMs.


That seems like a pretty good reason already.


If the consequence of my account being compromised is the bank adjusting the numbers in the ledger back then the bank are welcome to enforce such rules.

If a bank said that customers were responsible for the money stored in the bank and that the bank could not undo transactions (from the POV of the genuine client) then we'd be demanding much stronger banking passwords.


Actually getting tens-hundreds of millions out of the traditional banking system is _hard_. Transactions can always be reversed, and you'll never pull out millions in cash without some serious questions asked.


The exchanges can just change a couple numbers in their database and reverse the hack... r-right?


Yes, if people accept fractional reserve banking for bitcoin. I'd actually assume that's how most exchanges operate under the hood but many people who buy into bitcoin for ideological reasons won't accept that.

A consequence of making that formal is that the total owned amount of bitcoin would be more than 21m, because the hacker would own bitcoin and the users would own bitcoin on the exchange.

As long as there isn't a bank run, that discrepancy would not be a problem, but it would deflate the currency, also seen as unacceptable to bitcoin purists.

edit: access -> accept.


That policy may appear unwise, but to judge banks' security, there is enough evidence available without resorting to any such theoretical model of what's secure and what's not.

And that evidence is pretty clear. I do not remember any hacking incidents resulting in large-scale losses to consumer, so they seem to be doing something right.


This would be a significant vulnerability if bank customers were sophisticated at security, and if those passwords were the only input into their fraud detection systems.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: