March 31, 2021 Opener

A bank required passwords to be exactly 8 characters long, and could be any combination of letters and digits. When she left the caps lock key on by accident, a user found that the case of the letters did not matter — you could type either an upper case letter or a lower cae letter and it would be treated the same. Why is this bad?

Later on, the bank added what it called two-factor authentication. After you logged n, the bank announced that you would need to authenticate using a second factor. It produced another login screen. The user then entered their name and passord again, and got logged into the area with their accounts. Was this really two-factor authentication?

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
ECS 153, Computer Security
Version of March 31, 2021 at 10:57AM

You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh