# Title: Wells Fargo Poor Password Configurations # Author: Anonymous # Date: 04.21.2017 # Impacted Site: https://www.wellsfargo.com WellsFargo.com password and security management has been identified as being in a weak state of configuration and violation of PCI DSS 3.2 Subsection 8.2.3, 8.2.4. Multiple vulnerabilities result in poor credential management and configuration, as well as flaws in triggering fraud detection. Some vulnerabilities can be paired with each other to increase the risk associated. Poor Credential Management Findings 1. Passwords must contain 1 letter and 1 number a. Industry standards indicate that sensitive passwords follow complexity which would include a special character or case sensitivity. 2. Passwords are limited to 6-14 characters a. 6 characters is much too short and violates PCI DSS 3.2 Section 8.2.3 i. Compensating controls for strength are allowed such as special characters, however special characters are not enforced. ii. Wells Fargo appears to be implementing additional controls such as repeating characters, however with the increase in computer processing hardware and GPU enable password cracking, length and complexity is more important than blocking patterns of characters. b. 14 character passwords may not be long enough for users who choose to use passphrases, which can result in poor password selection. 3. Discovered passwords are case insensitive a. Credit:/u/redditsmart0 b. Passwords allow uppercase or lowercase permutations of the same password i. Coupling this along with 6 character passwords greatly increases the likelihood of password compromise. 4. Passwords are not required to be changed every 90 days a. Violation of PCI DSS 3.2 Section 8.2.4 Fraud Detection 1. A test of logging into Wells Fargo from a new computer from a foreign country did not indicate any sort of additional security checks when logging in or transferring money. Almost all of Wells Fargo competitors, as well as other financial management entities require 2 factor passcodes when logging in with a new computer or from a foreign location.