My browser was behaving strangely when I tried to log in to the TD Canada Trust online banking server, so just to be paranoid I decided to change my password using another machine. I then realized that it was just me being dumb – my user agent was set to IE as I had been testing something earlier. Oops!
However, it did all lead me to discover this gem epic failboat of a password policy:
When changing your password, please remember that it must be between 5 and 8 characters in length and should contain both letters and numbers. Special characters (e.g. #, &, @) must not be used as they will not be accepted by the system. Passwords consisting of all letters or all numbers are not recommended. Although TD Canada Trust does not require you to change your password, we recommend that for security purposes you change your password every 90 days.
Okay, wtf people. 5-8 characters seems awfully permissive, and doesn’t let me put in a nice long password… but not requiring numbers and letters? Just recommending it? And their system doesn’t support punctuation in passwords? Yeesh.
It gets worse. I decided to play around with it, and was able to change my password to the following:
- foobar
- 12345
- 11111
- aaaaa
- the first 5 characters of my bank card number (which is the username when one logs in, and is common to many TD customers).
Obviously I’ve changed the password to one which is as secure as I can make it given their crappy constraints, but it really angers me that I’m paying through the fees I pay them for this kind of asinine security policy. It almost makes me want to go through the hassle of switching banks… but I’m sure the others all have similar issues on one level or another.
Some days, though, this industry just makes me want to set things on fire – today is one of those days.
-Leigh
hypatia dot ca 
I use BMO and really enjoy their online banking service – their authentication is so strong that it always takes me a few tries to actually log in! But want to know the best part? Their customer service rocks.
Every other chartered bank I have done business with could learn from them.
I just thought of this post today in relation to an experience I had this morning, so I had to comment. We had a visitor from the US in the office today and they were going on about how some US banks have implemented “special security” to allow client to identify possible phishing. He showed me one of the standard emails he receives from his bank regularily as an example, and sure enough there was a little blue box at the top of the message, called a “security zone” that had his name and the last 4 digits of his debit card in it – along with a message on the bottom explaining what the “security zone” is.
When I looked at the source of the email, however, the “security zone” was written in plain html! Including the name and numbers! There wasn’t even an effort to disguise the information. So their idea of fighting fraud is to beam the customer’s full name and partial debit number across the internet via POP.