DPChallenge: A Digital Photography Contest You are not logged in. (log in or register
 

DPChallenge Forums >> General Discussion >> Wells Fargo online banking
Pages:  
Showing posts 1 - 17 of 17, (reverse)
AuthorThread
 04/16/2008 12:53:28 PM · #1
Does anyone use them? I just found something really distressing and I'm hoping it's a bug...but please try this out.

When you log in with your user name and password, I can input my password and then type ANYTHING at the end of it and it still seems to work...It looks like this:

password = xxxx0000 (works fine, let's say this is my actual password)
password = xxxx0000! (Works fine...umm what?)
password = xxxx0000asdf (workd fine...holy crap thats kind of scary on a BANKING website)

Can anyone else give this a shot and let me know? I'm going to try and figure out who over there to get ahold of to ask about it in the meantime.
 04/16/2008 01:39:56 PM · #2
OMG that is scary, I would be emailing the bank and calling them asap.
 04/16/2008 01:48:25 PM · #3
Yeah that is scary, i'd contact them right away. I'd also send an email over to the folks at Consumerist blog, www.consumerist.com

the coverage there tends to get things like that fixed fast
 04/16/2008 01:49:13 PM · #4
Hey Bfox, give me your login and password, and I will check it out for you!!!! hehehe
 04/16/2008 01:49:27 PM · #5
This may not be that big of an issue. If the password field is set at a certain length, then the code may simply trim any characters (or spaces) following that limit and only pass the allowed number of characters.

If you think there is an issue, try logging in with the wrong initial alpha-numeric code.

What is actually good about this is that someone trying to hack into it doesn't know what the min or max required password string limits are.
 04/16/2008 01:54:13 PM · #6
I had a handful of people at work try this and they couldn't reproduct it, I think it may be what you said and they only allow a certain number of characters. I'm a bit more relieved at least :D
 04/16/2008 02:07:19 PM · #7
Well, I was able to do it with my account, but I have a long password.

The way to experiment would be to change the password to something short (like 4 characters) and then try the same technique.
 04/16/2008 02:24:11 PM · #8
Yeah if you go to their homepage and it seems that they only allow you 14 characters for your password. So if your password is exactly 14 characters anything entered after that would be ignored.
 04/16/2008 02:27:06 PM · #9
I just tried mine and my password is under the 14 charector max and it didn't let me log in..
 04/16/2008 02:43:58 PM · #10
Mine is less than 14 characters and I was able to log in ...

I only entered numbers after my regular password -- maybe it works with extra numbers but not letters?
 04/16/2008 03:01:30 PM · #11
Well I went back through and 'changed' my password (to the same password) and the issue stopped. It is only 8 characters long, so the is wasn't a length issue as in the change password screen it says it does allow up to 14.

I had tried adding symbols, number, and letters afterwards. Since it stopped after I changed it I'm pretty baffled as to what sort of glitch could have caused that.
 04/16/2008 03:18:31 PM · #12
Originally posted by GeneralE:
Mine is less than 14 characters and I was able to log in ...

I only entered numbers after my regular password -- maybe it works with extra numbers but not letters?


OK, I tried this too and mine won't let me log in.. I tried numbers and letters and it tells me it did not recognize my username & password..
 04/16/2008 03:39:37 PM · #13
Originally posted by bfox2:
Since it stopped after I changed it I'm pretty baffled as to what sort of glitch could have caused that.

They have a separate toll-free number for online banking tech support -- I've gotten through pretty quickly. It would be good to know/report, since it's not isolated to you alone ... :-(
 04/16/2008 03:44:05 PM · #14
I think I see the "issue". They have recently upgrade or migrated their database system and the old account passwords were based on a different rule set. To accommodate the old passwords (probably limited to 8 chars) in the new system (allowing more), they coded it to read whether or not the account was based on the old rule set and if it was, then ignore data after the 8th char. Once you change your password, your account will be updated and the new, more seemingly strict rule set will be applied.

At least that's how I would've written it... if I were still a programmer. Wow, I almost miss coding.
 04/16/2008 03:49:06 PM · #15
I noticed the layout looked different ... you'd think they's send an email or something about that ... :-(
 04/16/2008 04:21:03 PM · #16
Originally posted by GeneralE:
I noticed the layout looked different ... you'd think they's send an email or something about that ... :-(


An email may be disconcerting to users and make them hesitant to use the system. I think the prudent thing to do would be to force a password change upon the next logon following the system change.
 04/16/2008 04:24:21 PM · #17
Originally posted by signal2noise:
Originally posted by GeneralE:
I noticed the layout looked different ... you'd think they's send an email or something about that ... :-(


An email may be disconcerting to users and make them hesitant to use the system. I think the prudent thing to do would be to force a password change upon the next logon following the system change.


Thats the way I would have done it. To keep it quiet and allow things like that to happen just seems unprofessional.
Pages:  
Current Server Time: 04/19/2024 04:09:12 AM

Please log in or register to post to the forums.


Home - Challenges - Community - League - Photos - Cameras - Lenses - Learn - Prints! - Help - Terms of Use - Privacy - Top ^
DPChallenge, and website content and design, Copyright © 2001-2024 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Current Server Time: 04/19/2024 04:09:12 AM EDT.