I have recently moved to Australia and am adjusting to the Australian
way of life. I signed up for a bank account with WestPac and am pretty
surprised how bad the login to their internet banking site is.
Here is a screenshot of it:
](https://res.cloudinary.com/gregpakes/image/upload/v1439623969/xjgegy6stq5gpc2xkfqy.png){kind=link}
Disclaimer: I am not a security expert and these are only my views.
What is wrong with the login page?
- You can only use the mouse to enter the password by clicking on
the clumsy icons. This is a usability nightmare. It is extremely unintuitive. - The password is limited to 6 characters. Exactly 6 characters. Why
have they done this? You don't need to be an expert to know that this limits password entropy and results in weak passwords. NB. I know it is limited to 6 characters because when I signed up it said so and if you try and enter more, it just stops working. - The password is clearly not case sensitive.
- The password character set is limited to A-Z and 0-9. This excludes
all "special" characters, again reducing the strength of the password. - The password is clearly visible to anyone looking at the screen. At
least with a keyboard, some of the keys are obscured by the users hands.
If we briefly compare this to the bank I use in the UK, Nationwide.
Nationwide has two ways to login.
- Memorable data (they are trying to phase this out)
- 2 Factor using the card reader (requires you to have your bank card)
Memorable data requires you to have 3 pieces of information.
- Customer Number
- Memorable data (a password of your choice)
- 3 random digits from a 6 digit pin number
The 2 factor login using the card reader requires the following:
- Customer number
- The card reader and your bank card
At a glance this seems much more secure.
I do not really know what Westpac are thinking with this login form. I
would love to hear other people's views on this, especially if they
differ from mine.