HSBC Poor Security Policies

HSBC for several years have provided a key fob to login and authorise transactions in their web site.

Recently they have upgraded their mobile applications to have the ability to generate secure codes, therefore removing the need to have a separate device, that probably gets lost.

During signup it asks a few questions and for a new password. The text states that passwords must be over 6 characters, so for security i used LastPass to generate a 30 character password.

This was accepted, however only 8 characters were shown on the screen. After double checking it turns out that the application silently ignored the other 22 characters and set my password to a 8 character password without warning.

I feel this is especially dangerous for the following reasons:

• If i hadn't of paid attention i wouldn't have noticed
• If you follow the XKCD recommended password system of 4 words joined together your password will be very insecure.
• Who thinks 8 characters is acceptable.

So I asked HSBC Help UK on Twitter.

@HSBC_UK_Help why are passwords for digital secure key limited to 8 characters? Not very secure 4:03 PM - Mar 22, 2015

@addersuk Hi Adam. It is a business decision, as we believe it’s long enough to be secure but short enough to be remembered.^JB — HSBC UK Help (@HSBC_UK_Help) March 22, 2015

@HSBC_UK_Help so why does your app let me enter a longer password and then truncate the password

@addersuk I am sorry if this has caused you any inconvenience Adam. Have you managed to set up a password now?^JB — HSBC UK Help (@HSBC_UK_Help) March 22, 2015

I feel this raises security concerns about HSBC if they are willing to have poor security on their systems.