Bank Changes Man's Password After They Realize It Insults Them

from the encrypted-passwords? dept

Usually, when you're dealing with a bank, they encrypt your passwords so that no one else can read them. However, apparently that isn't always the case -- and this allowed an employee at Lloyds TSB to change the password of one member from "Lloyds is pants" to "no it's not". The customer actually found the story to be amusing -- but it does seem slightly troubling that the bank, for whatever reason, was reviewing and changing a customer's password. They also forbade him from switching the password to "Barclays is better" and "censorship." Lloyds has apologized, and said the employee in question no longer works for the firm. It also explains why the guy was able to see the password in the first place by noting that on certain business accounts with multiple users, account reps can read the password. This seems pretty weak, though. If it's a business account with multiple users, why not let each user set up their own username and encrypted password? Also, it's still not explained why the guy was looking at users' passwords in the first place.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: changing, cleartext, insults, password
Companies: lloyds tsb


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Michael Foord, 28 Aug 2008 @ 1:52pm

    Password

    It was probably his verbal password that this is referring to. When speaking to banks on the phone (in the UK) you use a verbal password that you set when you open the account. The person you are speaking to needs to know the password in order to verify it - it is not part of an automated system...

    link to this | view in thread ]

  2. identicon
    Clarence, 28 Aug 2008 @ 1:52pm

    Good point

    WHy was this guy even able to see passwords to financial accounts. Sounds to me like this Lloyd's place might be a hacker's dream and I'm sure that if their system has not be updated immediately that they will be in the news again very soon... like after some hacker breaks into it and steals some cutsomer information, data, money, etc.

    I mean, if their system is so slipshod that the password field is not encrypted in the first place then how good could the rest of the database design be?

    link to this | view in thread ]

  3. identicon
    Jaqenn, 28 Aug 2008 @ 1:53pm

    I don't think this is as rare as you think it is (although I agree that it is stupid). I've worked at a web hosting company which stored your password unencrypted, and would use it to verify your identity over the phone.

    Admittedly, that's a small time web hosting company. But I can also attest from looking over the shoulder of my local Sprint representative that when I'm asking them questions about my account, their billing system shows them my password in plain text and requests that I recite it to them for verification.

    That was in summer 2007, and they did have a huge billing system revamp earlier this year, so perhaps that particular insecurity has been dropped.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 28 Aug 2008 @ 2:23pm

    But Lloyds IS pants. Geesh everyone knows that!

    link to this | view in thread ]

  5. identicon
    Overcast, 28 Aug 2008 @ 2:34pm

    Think I would have changed it to "Closing My Account" :)

    link to this | view in thread ]

  6. identicon
    Accountant, 28 Aug 2008 @ 2:37pm

    Passwords

    I used a very insulting, nasty password at a bank when I was mad at them for screwing up my online access for the third time. Of course they could not see it, but it felt sooo good to have that as my password; every time I logged on I could tell them where to go. As soon as my loan with them was paid off I left them and have never been back. Over the years I moved two businesses I was CFO of from their bank to a competitor.

    link to this | view in thread ]

  7. identicon
    Jacob, 28 Aug 2008 @ 2:40pm

    Verbal verification

    How is it possible to justify non encryption of passwords by saying it is needed to be unencrypted for verbal verification? All the passwords have to be encrypted some how, so take said encryption scheme - use it to encrypt the response of the user - and compare the stored and new value.. Where does this sound familier? Maybe every login form used with the billions++ of encrypted passwords on the web?

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 28 Aug 2008 @ 5:13pm

    Hahahaha!

    After several frustrating episodes with my university's html email service, I changed my password to something similar to "this university sucks balls" and it was the only password the system would accept after several of the common passwords I use were rejected as "not unique".

    link to this | view in thread ]

  9. identicon
    Eric the Grey, 28 Aug 2008 @ 5:25pm

    This tells me one thing...

    Never bank with Loyds TSB, assuming I ever wanted to...


    EtG

    link to this | view in thread ]

  10. identicon
    n00b, 28 Aug 2008 @ 7:50pm

    Re: Password

    Exactly. This isn't a website password. The article even says that it's the telephone banking password. It's a passphrase that you say to a customer service person on the other end of the line for confirmation.

    Exactly how does Mike propose that this be encrypted?

    link to this | view in thread ]

  11. identicon
    And What is Your Point ?, 28 Aug 2008 @ 8:13pm

    Re: Re: Password

    "Exactly how does Mike propose that this be encrypted?"

    And a clear text passphrase is good security ?
    What types of financial transactions are "protected" in this manner ?

    link to this | view in thread ]

  12. identicon
    Michael Foord, 29 Aug 2008 @ 12:21am

    Re: Verbal verification

    The encryption used to store it is irrelevant - if you are verifying a password with another human that human needs to be able to access it in an unencrypted form. How it is stored is irrelevant if this particular type of weak verification is based on a shared secret.

    link to this | view in thread ]

  13. identicon
    Enrico Suarve, 29 Aug 2008 @ 1:32am

    Re: Re: Password

    Exactly how does Mike propose that this be encrypted?

    By using the common (and as far as I aware) industry standard method of only asking for certain letters from your password

    Usually, with other banks you ring up and the computer picks 2 or three letters at random from your password, displays them to the agent who asks you, for example to confirm letters 1, 5 and the last letter

    The agent is able to verify you over the phone and does not get to see the entire password

    This part I am summising but I would imagine additional checks are put in place to ensure individual agents do not attempt to access the same account enough times to get the entire password and flag if they do

    link to this | view in thread ]

  14. identicon
    Pete Austin, 29 Aug 2008 @ 4:00am

    Security 101

    @noob: The bank employee to who you tell your password does NOT need to see the password and the bank does NOT need to store unencrypted passwords.

    The employee should type the password into a form, which encrypts it, compares that version against an encrypted version stored by the bank, and reports whether the password is good. Likewise if the system is that you tell the bank just part of your password.

    Any system that stores or displays unencrypted passwords is not secure.

    link to this | view in thread ]

  15. identicon
    Sos, 29 Aug 2008 @ 4:02am

    Thats the first time ive ever heard of anything like that. In the case of a forgotten password its usually second or third factor authentication like a series of passphrases or an RSA token.

    link to this | view in thread ]

  16. identicon
    John Delaney, 29 Aug 2008 @ 1:26pm

    I never knew that calling something "pants" was an insult to be honest.

    link to this | view in thread ]

  17. identicon
    Rabbit, 1 Sep 2008 @ 5:19pm

    Pants?

    so, call me a dumb American, but how is "Pants" offensive?
    I always thought that the definition of that word meant; "an outer garment covering each leg separately and usually extending from the waist to the ankle - usually used in plural".
    So in the UK, does it also mean something different?

    link to this | view in thread ]

  18. icon
    Mike (profile), 1 Sep 2008 @ 5:50pm

    Re: Pants?

    http://www.peevish.co.uk/slang/p.htm

    pants Noun/Adj. Nonsense, rubbish, bad. From the standard British English of pants, meaning underwear; also a variation on 'knickers'. E.g."The first half was pants but I stayed until the end and it was actually a great film." [1990s]
    Exclam. An exclamation of annoyance or frustration. From the noun, (above).

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.