LastPass Forums

[TacticalSecurity]

Also based in Europe. Would like this feature adding in too please.

[simon826]

judging by the views this is a common problem, same here 2 banks same problem.

[Redwoodsman51]

May I add another plea from the UK for this feature please?

Similar too others, I have more than one financial institution that uses specific characters selected from the whole password (and, also similarly, I suspect that it is to simplify & enable phone verification)

[alphie]

I'm a long-time KeePass user, currently evaluating LastPass before I buy premium subscriptions for the family and make the jump. This is definitely one area where KeePass wins over LastPass. In KeePass I can press a key combo and a window pops up where I can choose the positions from the password I want: e.g. 1st, 2nd, 4th, 10th. Then it simply fills in the text boxes and submits. Detecting a form which has multiple one-character text fields should be quite robust. At the very least, LastPass shouldn't attempt to save the password in your vault from just the first one-character field.

Even the concept of more than one password/PIN (again, common for non-American financial institutions) seems to be unsupported.

[mark523]

Also a UK user, also would like this feature. Having to copy and paste specific characters is a hassle.

[samharris69]

Me too.

Maybe this feature isn't needed in the US but my experience is that most banks & stock brokers that I deal with (& don't have 2FA) require this. I don't like the approach but I wouldn't count on them all changing. Have you ever tried telling a bank they are wrong?

[mike808137]

Start naming names, people. Referencing "my bank" or vague "european banks" won't help any of us understand exactly what you're talking about, nor will it help LastPass reach out to those institutions to figure out a way to address this goofy login issue.

I noted someone said it is only part of the login, in that you have to provide your full password in one place and then in some other place, they only ask you for some random character(s) from the password you entered earlier.

I'm not sure that's of any actual security benefit - if the bad guys already know your entire password, they can certainly enter the partial characters any other time. It is also trivially provable that they MUST BE STORING A DIRECT COPY YOUR PASSWORD - one that can be STOLEN and COPIED WITHOUT THEIR KNOWLEDGE. That's the entire point of a password breach.

I seem to recall that the europeans also believed that the world was flat too. Didn't make it any more true than the claim that europeans are more susceptible to mass stupidity than in other parts of the world.

If your bank is doing this, they're doing security wrong as well as just inflicting pointless complexity upon their users And that is a provable fact, just as 1 + 1 = 2. Don't reward their failed security theatre with your business or money.

Post URLs and call these securty clowns out.

[samharris69]

It is also trivially provable that they MUST BE STORING A DIRECT COPY YOUR PASSWORD - one that can be STOLEN and COPIED WITHOUT THEIR KNOWLEDGE.

I know little about security but I'm curious. What is the trivial proof? Why cannot they store one of these 10 character passwords as 10 1 character passwords?

I seem to recall that the europeans also believed that the world was flat too. Didn't make it any more true than the claim that europeans are more susceptible to mass stupidity than in other parts of the world.

If your bank is doing this, they're doing security wrong as well as just inflicting pointless complexity upon their users And that is a provable fact, just as 1 + 1 = 2.

Something about your attitude makes me think you are from the USA... Given that you aren't familiar with the technique it seems a big call to assume that all these banks are incompetent. But fwiw, here's some urls:
https://www.youinvest.co.uk/securelogin
https://secure.tddirectinvesting.lu/international/
https://atonline.alliancetrust.co.uk/atonline/login.jsp

[mike808137]

The proof is that if they are selecting any arbitrary/random character from your password to compare against the unencrypted value, then they *must* have knowledge of your actual password value. That is horrible security where one-way functions have been around for many decades.

If your bank has a copy of your password, how can they possibly *prove* any unauthorized disclosure or theft of your password was *you*. Who can prove it *wasn't* the *bank* that your password was stolen from? That is the proof.

You can't be responsible for loss of something you *don't have in the first place*. That's why anyone with any security sense at all uses one-way functions - to prove authenticity without a direct knowledge comparision. E.g. SHA256 (has functions). It doesn't matter that they split it up or encrypt it. They have a copy of your password.

QED.

[mike808137]

I didn't say it would be easy to get these banks to change their ways. I said it was horrible security to have to have your password at all. And I assume it was mass stupidity on the part of European banks because all of the examples and posters said it was European banks doing this. The rest of the security-enlightened world don't use this technique.

If you're comfortable with your money in such a bank that has such poor security design, then LastPass probably won't help you with exercising bad judgement. Use another bank - problem solved.

I can see how it happened. It was probably to avoid rewriting their apps by adding a layer that only accesses one at a time characters on top of your original full password, possibly instead of adding a layer like encryption - because it doesn't require crypto expertise or algorithm lock-in) and can also be directly translated to physical paper and manual methods as fallback or predate computers. Since banking dates back to the Hapsburg period, such ancient practices aren't surprising. Doesn't make them the right or secure way to do things in today's world. Frankly, it is exactly keeping those dinosaurs around and part of the global banking system that makes *everyone's* banking less secure. They are the weakest link.