Bank Changes Man's Password After They Realize It Insults Them

from the encrypted-passwords? dept

Usually, when you’re dealing with a bank, they encrypt your passwords so that no one else can read them. However, apparently that isn’t always the case — and this allowed an employee at Lloyds TSB to change the password of one member from “Lloyds is pants” to “no it’s not”. The customer actually found the story to be amusing — but it does seem slightly troubling that the bank, for whatever reason, was reviewing and changing a customer’s password. They also forbade him from switching the password to “Barclays is better” and “censorship.” Lloyds has apologized, and said the employee in question no longer works for the firm. It also explains why the guy was able to see the password in the first place by noting that on certain business accounts with multiple users, account reps can read the password. This seems pretty weak, though. If it’s a business account with multiple users, why not let each user set up their own username and encrypted password? Also, it’s still not explained why the guy was looking at users’ passwords in the first place.

Filed Under: , , ,
Companies: lloyds tsb

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Bank Changes Man's Password After They Realize It Insults Them”

Subscribe: RSS Leave a comment
Enrico Suarve says:

Re: Re: Password

Exactly how does Mike propose that this be encrypted?

By using the common (and as far as I aware) industry standard method of only asking for certain letters from your password

Usually, with other banks you ring up and the computer picks 2 or three letters at random from your password, displays them to the agent who asks you, for example to confirm letters 1, 5 and the last letter

The agent is able to verify you over the phone and does not get to see the entire password

This part I am summising but I would imagine additional checks are put in place to ensure individual agents do not attempt to access the same account enough times to get the entire password and flag if they do

Clarence says:

Good point

WHy was this guy even able to see passwords to financial accounts. Sounds to me like this Lloyd’s place might be a hacker’s dream and I’m sure that if their system has not be updated immediately that they will be in the news again very soon… like after some hacker breaks into it and steals some cutsomer information, data, money, etc.

I mean, if their system is so slipshod that the password field is not encrypted in the first place then how good could the rest of the database design be?

Jaqenn says:

I don’t think this is as rare as you think it is (although I agree that it is stupid). I’ve worked at a web hosting company which stored your password unencrypted, and would use it to verify your identity over the phone.

Admittedly, that’s a small time web hosting company. But I can also attest from looking over the shoulder of my local Sprint representative that when I’m asking them questions about my account, their billing system shows them my password in plain text and requests that I recite it to them for verification.

That was in summer 2007, and they did have a huge billing system revamp earlier this year, so perhaps that particular insecurity has been dropped.

Accountant says:


I used a very insulting, nasty password at a bank when I was mad at them for screwing up my online access for the third time. Of course they could not see it, but it felt sooo good to have that as my password; every time I logged on I could tell them where to go. As soon as my loan with them was paid off I left them and have never been back. Over the years I moved two businesses I was CFO of from their bank to a competitor.

Jacob says:

Verbal verification

How is it possible to justify non encryption of passwords by saying it is needed to be unencrypted for verbal verification? All the passwords have to be encrypted some how, so take said encryption scheme – use it to encrypt the response of the user – and compare the stored and new value.. Where does this sound familier? Maybe every login form used with the billions++ of encrypted passwords on the web?

Pete Austin says:

Security 101

@noob: The bank employee to who you tell your password does NOT need to see the password and the bank does NOT need to store unencrypted passwords.

The employee should type the password into a form, which encrypts it, compares that version against an encrypted version stored by the bank, and reports whether the password is good. Likewise if the system is that you tell the bank just part of your password.

Any system that stores or displays unencrypted passwords is not secure.

Mike (profile) says:

Re: Pants?

pants Noun/Adj. Nonsense, rubbish, bad. From the standard British English of pants, meaning underwear; also a variation on ‘knickers’. E.g.”The first half was pants but I stayed until the end and it was actually a great film.” [1990s]
Exclam. An exclamation of annoyance or frustration. From the noun, (above).

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...