Thursday, August 27, 2009

Fidelity password fail

I called Fidelity customer yesterday and was asked to authenticate by entering my ID and PIN using the phone's keypad. At first my mind was blank - what was my phone PIN? It turns out you use the same user ID and password as you use on www.fidelity.com.

Convenient, yes? The problem is that this means the "secure" password I had chosen, which contained upper and lower-case letters and numbers, was actually being stored by Fidelity as a string on numbers.

For example, suppose your password is "MaGic8" . Using the phone keypad mapping for letters this becomes the number 624428. The sad thing is you can log in to Fidelity.com using 624428 as your password. You could also type in "NCHHCU" since this maps to the same numbers.
In this example, there are 4096 (4^6) different passwords that an attacker could enter and that would all allow them access to your account.

Instead of 62 or more possibilities per character (uppercase, lowercase and digits), you're effectively using 10 possibilities per character. That's a drop in entropy of 10 bits (or a factor of 1000) for a 6-character password.

What's odd is that they don't seem to do the same thing for the user ID - typing in the numbers your ID maps to doesn't work.

1 comment:

Anonymous said...

I just realized this morning that Fidelity is simplifying passwords when I typed mine in wrong and still got in. I guess that is why they call them PINS instead of passwords. I emailed in a complaint but it won't do any good. Make your Fidelity passwords long and your login IDs non-obvious!