Westpac
Westpac Australia (a bank, so it’s just all your money they’re protecting) has this dinky little “secure” login page, where you have to hit on-screen buttons to type in your password. I guess it would defeat a keystroke logger, except it’s all javascript based so you could just hack the javascript and get the password from there.
Anyway, the kicker is that the password you use has to be exactly SIX alphanumeric digits, no spaces, no special characters. Six, I kid you not.
At least it’s not done with flash like it used to be.
editor’s note: i received this update and the second image shortly after the original submission
Further to the Westpac 6-character ‘virtual keyboard’ debacle: I posted an image of the virtual keyboard page with the 6 character limit highlighted in the code.
Turns out that no only do they think that 6 upper case letters or numbers is a good enough password, they’re also super proud that they’ve foiled the keyloggers. Here’s their reply to my email to them:
Dear XXXXX
Thanks for your query about why our passwords are 6 characters long for Westpac Online Banking. We believe that 6 characters is an appropriate length to protect and authenticate your online activity.
Making passwords longer or more complex won’t prevent keylogging, which is a fraudulent way of capturing passwords by recording what you type into your computer.
We created the onscreen keypad to minimise the risk of keylogging and other types of fraud.
…Just as long as those fraudsters never work out how to read the javascript that runs the whole thing. Then we’d be fucked. But what are the odds that that’s ever going to happen?