TD Canada Trust password policy fail

My browser was behaving strangely when I tried to log in to the TD Canada Trust online banking server, so just to be paranoid I decided to change my password using another machine.  I then realized that it was just me being dumb – my user agent was set to IE as I had been testing something earlier.  Oops!

However, it did all lead me to discover this gem epic failboat of a password policy:

When changing your password, please remember that it must be between 5 and 8 characters in length and should contain both letters and numbers. Special characters (e.g. #, &, @) must not be used as they will not be accepted by the system. Passwords consisting of all letters or all numbers are not recommended. Although TD Canada Trust does not require you to change your password, we recommend that for security purposes you change your password every 90 days.

Okay, wtf people.  5-8 characters seems awfully permissive, and doesn’t let me put in a nice long password… but not requiring numbers and letters?  Just recommending it?  And their system doesn’t support punctuation in passwords?  Yeesh.

It gets worse.  I decided to play around with it, and was able to change my password to the following:

  • foobar
  • 12345
  • 11111
  • aaaaa
  • the first 5 characters of my bank card number (which is the username when one logs in, and is common to many TD customers).

Obviously I’ve changed the password to one which is as secure as I can make it given their crappy constraints, but it really angers me that I’m paying through the fees I pay them for this kind of asinine security policy.  It almost makes me want to go through the hassle of switching banks… but I’m sure the others all have similar issues on one level or another.

Some days, though, this industry just makes me want to set things on fire – today is one of those days.

-Leigh

On CTF and tonsils

I signed up for the CCC CTF yesterday.  Team name: Pink Pwnies.  Mascot: Adorable.  See:

the team pink pwnies mascot

I’m going in for a tonsillectomy tomorrow morning, and will be more or less offline for a couple of days.  I’ll be checking email and maybe replying to some of it, but everything will be a little slow.

Adult tonsillectomies are a weird business.  It’s considered pretty minor as a kid because they bounce back quickly, but adults seem to have a much harder time with it.  It’s apparently a 40 minute procedure, followed by 1-6 hours of observation.  I’m being given an alternate paralytic agent rather than sux (best pharmaceutical name ever!) because my uncle had a reaction to it as a kid which is potentially hereditary, but aside from that I’m an uber-routine case.  This gives me hope for my recovery being reasonably swift.  Well that and my still being pretty young and in decent health 🙂

I’ve found some good advice (warning, giant comment thread which recently got spun into a full-on forum) on the recovery process.  After the consult with the anesthetist this afternoon, I stocked up on non-sharp food , meal replacement drinks, ice cream, Gatorade powder, and some lovely teas.  I’ll be in the capable care of my favourite internet farmer this week until he heads off to Minneapolis for the IETF meeting, after which my favourite acquirer of pink things is coming up from Seattle to keep me company.  I’m not sure when I’ll be able to have visitors, but I’ll post here again when I regain some measure of lucidity.

Wish me luck!

-Leigh