I have an account in ING bank, and they have very annoying security system. Instead of requesting a password, they ask for few random characters from my password.
On the picture above you can see how it looks.
To log in I have to pick correct letters from my password, and insert them.
This is very annoying when I have strong password, and even for simple password like a sentence, it just does not fit me.
I was wondering if you could provide some sort of dialog for the browser extension, to copy single letter from the password?
Or even better, the browser does not prevent from pasting data to the fields, so maybe if I could tell bitwarden that I want to fill password field by field with a single letter and pass the letters I need, it could autofill it for me.
Honestly ING should just throw out this scheme instead. It’s obviously ridiculous and I don’t think the time and added complexity to support these sort of things is worth it from Bitwarden’s point of view. I really can’t think of any other scenario where you’d want to get a certain character from your password.
This isn’t just problematic for people with password managers, but also for people who memorize their passwords. Especially so, in fact.
I have changed the topic to reflect a clear request - but I personally have to agree - and hope - that this is not a new “fad” in security
I understand that this is very specific case, and I also think that ING should stick with TFO instead of this nonsense.
Could you at list point me to the simplest solution?
I was wondering about some sort of script, but I do not know how to write one, that would run in the browser, and that could autofill forms. ( possibly read the loaded web page, and determine needed letters? ) I could then copy full password from the vault, and pass it to the script, that would autofill it for me
Good question - that would take some research into what type of inputs, scripts, etc. that ING is using.
Perhaps a post over to the user-to-user support may find someone with a similar issue who could assist with the script?
what even is the benefit of this from a security perspective? this does not seem to be an anti-robot measure, because as the discussion above the implementation of a script could relatively easily pass this. it is not adding security, as far as i can tell, beyond increasing the processing required. if someone has gained illicit access to your password they have your password, even if it is just on the clipboard, and they can thus complete the challenge to gain entry.
so i must be missing something, because i doubt the people at a major banking institution are complete dunderheads when it comes to security and privileged access. so they must have a reason.
Well, I think that it covers a scenario, when someone is looking at the keyboard while you type the password. In that case you can insert only requested characters from the password, and someone who stands next to you, does not have full password even if he had seen what you typed.
I do not know the statistics, but I would suspect that this approach, is a little better for people who do not use password managers, because the password need to be sufficiently long, and those people usually type the password by hand. On the other hand, in this group of people that this schema is targeted, a lot of them would pick quite simple password that would be easy to guess given few significant letters, and some background context about the user. Therefore, I think that it is not so great security feature. But this is only my speculation, and every bank can have its own security protocols.
I did not hear that ING had any security issues, so it has to work for them.
Thank you, It works like a charm. It appears that every letter has its own id in the password, so I created custom fields for every letter, and it auto completed that for me
It also fixed another issue with this website, I couldn’t autofill username, and got a message, that I have to copy the login, and paste it manually. When I created custom field for username, it auto filled it for me
So custom fields was what I was looking for