We have all seen horrifying security decisions made by friends, coworkers, family, and businesses. Share the ones that keep you up at night! The spookiest ones will be highlighted during a special Halloween vault hours on October 31st.
4 Likes
A former schoolmate told everyone he knew his debit card PIN.
His reasoning: “So if I forget it, there is a high chance someone is around who knows the PIN”.
3 Likes
I have family members that literally use the SAME password for all of their online accounts — > and the password is not even a good one if used in only one place. I couldn’t sleep at night in that scenario.
2 Likes
He sends the password by email to his own email address so that he can quickly find this password in an email in his email program.
Phuuuu ….
2 Likes
Password policies on most spanish banks are a joke (a bad one).
This is BBVA, one of the biggest ones:
6 characters maximum (yes! SIX!) and NO symbols.
CaixaBank (another one of the biggest):
10 chars max.
They provide recommendations about choosing a good password. But they don’t let you follow many of them (using two-step verification being one of the most blatant ones).
Most funny of all is that they recommend using password managers, but to login to CaixaBank website, until 4 or 5 years ago, they forced you to use an onscreen keyboard that made that impossible (to prevent keyloggers, they said).
OpenBank (Santander’s online subsidiary), until last year (that’s when I cancelled my account with them) forced you to use a 4 digit numeric pin as a password.
They all say they care about their customers security, but that’s a lie. They only care that their customers don’t forget their password and make the bank employees have to provide a new one to them.
None of the spanish banks I know/have used lets you protect your account with 2SV.
4 Likes
Looks like it’s actually only six characters maximum for BBVA? That would make the max entropy 31–36 bits (depending on whether the password is case sensitive or not…). Makes you wonder if they even bother with hashing the stored passwords!
1 Like
Yeah, I had just edited my post.
The entropy on openbank’s is even worse! : 13 bits (thirteen!).
One of the biggest banks or jokes? 
3 Likes
Well, not to start a discussion about password for a bank. I am customer of the German Comdirect bank and … The username has 8 digits (just number, yes!), and the password 6 digits (again numbers only). I remember there was one a bigger discussion about these simple “values” in their forum, but the support said, that, in case if there is a log-in from an unknown device the TAN app needs to get activated to confirm (manually) the access to the private banking page. Yes, and almost every action need a confirmation through this app. I asked why not to offer the possibility to add letters or signs - nope.
A “genius” friend decided to get a tattoo of their only password so they would never forget it. The flaw in their master plan was tattooing their knuckles - now they can see it easily, and so can everyone else.
3 Likes
… and they probably now can only change their only password, when they change their tattoo, too?! Brilliant! 
Hopefully they did something like “mom” so that to the rest of the world, it looks like “wow”.
It’s ok though, they’ll rate limit to one entry attempt possible every 10 minutes. 
How about people who think 2FA via Authenticator App (like Ente, Aegis or 2FAS) is “it’s stealing my data” or it’ll “erase my computer”
and they’d rather go without it and not be “bullied by their phone”
The last person who told me this was a realtor who, last year, had someone defraud her of $40,000.
Seems like a 'good" security practice… this ensures someone can not set their password to “password”, as that is eight characters </s>
1 Like
That is an effective attention grabber, but without knowing what controls are on the access to the login prompt, one can not tell if this is a scary.
When one has defense-in-depth, it does not really much matter if one layer is horrendously weak; they just can not all be weak.
If, for example, it is only usable on the DVR console in the surveillance room, the choice of password is a bit of a nothing-burger.
The Amazon returns processing desk near me has their login printed as a barcode that is labeled as such and taped to the counter in full view of the customer. Right below it is the same thing for the password.
When they give me a receipt, I lay it on said counter, take a picture of the receipt with my phone and ask them to destroy the paper. Would be no-big-trick for the barcodes to appear in my picture.