2 Bank of Ireland Business Online password issues

Jul 18th, 2007   9:22 am

So after a previous post, I’m still having the issue. Bank Of Ireland Business Online requires you to have 1 administrator user, and any number of regular users. The admin user has 2 passwords (of 8 characters+) which you must enter separately. Changing those passwords for me, to date, has been impossible.

Being a web guy, I decided to delve a little further in to the problem, and the solution is genius.

First off, BoL supports IE only. Back in 2002 (most code is dated then) they obviously made some attempt to support non-IE browsers as the code is littered with browser checks. However, the HTML (they claim 4.0, but it’s not) is about as valid as a winning lotto ticket you print at home. There is no reason I can see for BoL to be IE-only, other than to hire a student (who will usually know HTML better than whatever individual wrote this back in ’02). That’s for another day. BoL also tries to prevent you viewing their precious source (which does include passing the password you typed back in subsequent HTML documents!!), by disabling the context menu, making it trickier to get source for nested frames, but not impossible.

So, if your admin password is due for a change, then you sign in as the admin user, as normal, by entering the username & first password. Clicking Login will then prompt you for the second password, after which (assuming you got them right!) you get your 6 boxes (existing, new, confirm new for each password) to change your password.

Here’s the genius bit. BoI BoL passwords are case insensitive. That in itself is bad enough (massively reducing password strength, making brute force attacks easier and quicker). However, it’s even worse when BoI BoL JavaScript comparison methods are not case insensitive! Therein lies the problem. So, anyone copying and pasting a password will be screwed if the password contains lower case letters. If you type the password, there is JavaScript to change any lower case letters to uppercase, however that JavaScript is not called when you use a screen keyboard, or when you paste the password in to the textbox.

Solution (for BoI!): fire the JavaScript before submitting the form instead of, or as well as, after each key press. Advise customers that passwords are case insensitive, or that they must be in uppercase!

Workaround (for us fee paying customers waiting on a fix for over 5 years): Change your passwords to uppercase before copying/pasting, or using virtual keyboard.

Genius.

Comments:

James
Jun 6th, 2008   10:35 am

BOI-BOL is the worst interent banking interface dare i say website i've ever used. I am very good with computers and still spend 90% of my time struggling with password changes, buggy digital certificates, digital certificates that disable themselves after one transaction etc etc. I have been with the Bank of Ireland since secondary school and have built up a pretty good relationship with a number of managers, but considering the profits this bank has made over the past few years its an insult that they aren't able to impliment a decent bug free onlin banking system. Check out the rabobank site lads and sort it out before I move my account.
Liam Pluck
Jun 30th, 2009   7:59 pm

BOI-BOL have pushed me back to cheque books and bank drafts while I seek a modern, user friendly bank.

Leave a Reply

Your email address will not be published. Required fields are marked *

css.php