Wednesday, 24 June 2009 07:09

Tattersall's gamble with password security

By
In this modern day online security is of paramount concern. It comes as a surprise, then, that Tattersall's Sweeps, a prominent Australian gaming company that administers weekly lotto, pools and other gambling products, makes no distinction between upper- and lower-case in passwords.

While using the Tattersall’s online site, Jeff Wharton, Solutions Architect for WARDY IT Solutions discovered he was able to log in successfully whether he entered his password with capital letters or not.

Wharton had believed his password contained a mixture of lower- and upper-case letters as well as numbers. He had assigned this password himself and had always used it when logging in, but it turned out the Tattersall’s web site actually disregarded case. His judicious use of the shift key was all in vain.

To illustrate, this means the Tattersall’s site effectively treats a password like “iTWire77” the same as “ITWIRE77” or “itwire77” or “iTwIrE77” or any other case combination.

Wharton realised this weakened the security of his account and expressed his concern to the company. Specifically, he pointed out that the online facility permits funds to be withdrawn from credit cards and bank accounts and transferred to other credit cards and bank accounts and he expected top-class protection of his financial information.

A Tattersall's Incidents and Complaints Officer responded to Wharton saying,

Tattersall’s treats the privacy and security of all our players’ with the utmost importance. We apply and maintain stringent security standards to protect data that we hold on behalf of our players. In keeping with this, Tatt’s Online password requirements are enforced as follows:-

‘Your Password must be between 8 and 12 characters long, and contain a letter and a number. Passwords should not contain your member ID< first name or surname.’

Tatt’s Online does not impose upper or lower case requirements for passwords.

Thank you for taking the time to provide feedback to Tattersall’s and trust that we have put your mind to rest on this issue.


Does it really matter? Let's look at the numbers.


According to Hitachi’s best practices for password management a password of eight characters that only permits one case as well as numbers has 2.82e12 combinations (that’s 2,820,000,000,000.) By contrast, if both cases are permitted the number of combinations increases substantially to 2.8e14 (or 280,000,000,000,000.)

These are awfully large numbers of combinations either way. However, consider that the vast bulk of these combinations are meaningless jumbles of letters and numbers. In practice, many people will opt to use a real word or name and potentially only one or two letters at the end of the word. This diminishes the number of combinations dramatically.

Most institutions recommend passwords contain a mixture of upper- and lower- case letters.

I personally verified that Tattersall’s did not distinguish between case. I created an account on their site with a password of SMITH123 and was able to successfully log in using password smith123.

I phoned Tattersall’s using the telephone number provided to Jeff Wharton to call if he had further enquiries. I asked if there was a reason Tattersall’s did not make this distinction.

The person I spoke with was unaware that the web site allowed people to log in using any case variation on their password. I explained the problem and referred to the Complaints and Incidents Officer who had responded to Wharton.

I disclosed I was a journalist and the headline of this story.

The officer simply advised me that if Tattersall’s knew about this handling of upper- and lower- case characters then they must be satisfied and happy with it.

A call has been made to Tattersall's public relations for an official comment and will be added here as soon as it is received.

Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments