> Don't they usually store a hash of it? And doesn't it therefore for the most part work exactly the way you say it ideally should?
Putting aside the banks who literally do store the password because they have security procedures like "Please enter the first and fifth characters of your password" even those that do store a password hash still need you to submit your password to authenticate.
So, like the lyric says, you tell the bank your password. You hope they just use it to authenticate you and immediately discard it, but if bank security lapses are anything to go by they're probably logging it "for security" and there are definitely employees able to snoop the decrypted plaintext passwords from customers on some internal teams.
That is what Augmented PAKEs fix, it's really hard to do well, and of course banks see themselves as infinitely trustworthy so why would they bother.
This mistaken sense of self-worth applies to your credit card PIN by the way also, of course banks and thus bank employees can know your PIN, which means when a purchase is "secured" by the PIN that rules out some local pickpocket having made the purchase, but as well as you it leaves open the possibility that it was a bank employee or their co-conspirator.
Putting aside the banks who literally do store the password because they have security procedures like "Please enter the first and fifth characters of your password" even those that do store a password hash still need you to submit your password to authenticate.
So, like the lyric says, you tell the bank your password. You hope they just use it to authenticate you and immediately discard it, but if bank security lapses are anything to go by they're probably logging it "for security" and there are definitely employees able to snoop the decrypted plaintext passwords from customers on some internal teams.
That is what Augmented PAKEs fix, it's really hard to do well, and of course banks see themselves as infinitely trustworthy so why would they bother.
This mistaken sense of self-worth applies to your credit card PIN by the way also, of course banks and thus bank employees can know your PIN, which means when a purchase is "secured" by the PIN that rules out some local pickpocket having made the purchase, but as well as you it leaves open the possibility that it was a bank employee or their co-conspirator.