Since 2010

NAB's password policy

Monday 25 June 2012

“Change Internet banking password” has been on my todo list for a long time, because I’ve always had this niggling feeling that it wasn’t very secure. It didn’t have any special characters, and it was quite short in length.

So I steered by browser towards NAB’s homepage, logged in, and found the functionality I was after.

And then I saw this:

Your new Internet Banking Password must be between 6 and 8 characters in length and consist of a combination of letters and numbers (e.g. 1acb1234).

What. The. Ho? This isn’t Weatherzone, where it’s cute to create an account so the temperature is always displayed in Kelvin instead of Celcius, this is an Internet banking site. A password of just eight alphanumeric characters doesn’t cut the mustard these days. Are you listening NAB? It’s people’s money. My money. Savings. Credit cards.

Update 2012-06-26

Spotted on The Register today, in a story about a breach of user passwords at eHarmony:

…more than 1.2 million passwords were cracked in 72 hours, using three NVIDIA GPUs…