I work in a bank. Until a year ago, our passwords are 8 characters max, no special characters, upper and lowercase letters are equal. We were running IE7 up until 2 years ago. A huge amount of the business is still organized around sending excel sheets to each other, with no sidechannel validation. The fact that you recieved an excel sheet from some email is treated as proof that it's valid. Last I checked we were also operating an unauthenticated SMTP relay. They will shit on actual security while telling me that I have to run windows on my work laptop because otherwise they can't run their favorite RAT powershell script to recursively unzip every jar on my system to look for log4shell (yes, still).
The same people who instituted and backed these rules and practices are also running the core system for clearing in the national bank of Denmark.
Banks are not secure. They are conservative and political. They will do everything to tell you they are secure. They will make your life hell to uphold their security theater, but it's just a facade. I have no doubt they will implement WEI, but it will not bring security.
Banks do have a pretty good trackrecord of protecting people's money, but they do that through a defense in depth strategy of having a bunch of compliance officers manually reviewing transactions for suspicious activity.
WEI sounds like another security theater play by Ad corp. When web first come out it is because it's sandbox that made it so attractive. The server doesn't need to know what client it is, as long as it is speaking http.
With intro of html5, (webgpu, webgl, web audio api), that sandbox has being slowly opened up.
That will be pretty much the same situation as on mobile where the third party rom developers and users are pretty much the only ones affected by design by this concept.
Who will have some trouble with this new concept on the web? Smaller browser maker, software developers and crawlers from competitors
Not a single scammer or ad fraud will be affected, same as on mobile.
Easy to see why Google wants that, its attacking the competition
> Until a year ago, our passwords are 8 characters max, no special characters, upper and lowercase letters are equal.
That’s pretty good. A major Canadian bank until ~2020 had 6 character limit passwords (possibly you could enter more, but only the first six count) and mapped all alpha characters to numbers in groups of 3 (so your assigned telephone banking PIN was just a “hash” of your password).
My health insurance portal (Aetna, no I am not above naming and shaming) did something annoying. When I signed up I used a randomly generated three-word passphrase from my password manager. It was around 32 characters or something.
They have the fun pattern of logging you out of your account whenever you are inactive. A bit excessive for a health insurance provider imo, but whatever.
So I tried to login and guess what? Max input length for their login password is 16 characters. I literally couldn't input my password.
I had to go through a stupid process to reset my password because their sign-up front-end validations were different from their sign-in front-end validations. I had to purposely choose a less secure password even though I could technically create a password that was pretty secure, I can't sign in with it.
Heh, I had a health insurance portal that when you changed your password with their mobile app, it would let you use all the special characters. However the web app blocked (or stripped) those characters out, meaning you couldn't log in to the web app because it literally wouldn't let you type your password. Every so often the mobile app forced re-auth, and it redirected you to the web version where putting in your password wouldn't work... I likewise had a nightmare process to get it reset.
Yes, I really dislike those companies that spend so much effort blocking pasting into the second password field when filling them out so they break password managers.
Luckily it's normally easy enough to edit the tags on the text box but even so, this shouldn't be necessary.
The same people who instituted and backed these rules and practices are also running the core system for clearing in the national bank of Denmark.
Banks are not secure. They are conservative and political. They will do everything to tell you they are secure. They will make your life hell to uphold their security theater, but it's just a facade. I have no doubt they will implement WEI, but it will not bring security.
Banks do have a pretty good trackrecord of protecting people's money, but they do that through a defense in depth strategy of having a bunch of compliance officers manually reviewing transactions for suspicious activity.