Some good news on the Wells Fargo security front.
- Though the ignoring of extra password characters is still true, you have to exceed 14 characters before you see this behavior. A 14 character password is sufficiently long enough where this should not be a significant issue.
- The reason behind the case insensitive username and password is so the same system can support phone interaction as well. Though this lowers the security level, it is compensated for by limiting failed logins to 3 attempts. After the 3rd failure, the user must contact the bank before they can try again.
In listening to Security Now, a TWiT Network netcast, staring Steve Gibson and Leo Laporte has reported over several episodes in September that the Wells Fargo online login is not as secure as it should be. This report came from users of Secuirty Now.
- The first report was that the password would still work if it had extra charcters at the end of it. It was not determined to whether the length was ignored after a specific number of characters or if it ignores anything longer than your password length.
- The second reported issue is that the password is case insensitive.
- The third report is that the username is case insensitive.
If you are a Wells Fargo customer, I would recommend you let them know about the security problem at a minimum, and change banks if you do not see reasonable effort to correct this.