Westpac Online Banking

Hello,

I am having difficulties auto filling the password on the Westpac personal banking website.

https://online.westpac.com.au/esis/Login/SrvPage

The password has to be entered by pressing the buttons on the screen (no keyboard).

When 1Password saves the password, the password is different to what is pressed on the keyboard and is always changing.

Can you please see if this can be fixed?

Westpac is Australia's second largest bank.

1Password is fine for all the other banks in Australia including Commonwealth Bank, ANZ Bank, NAB etc.

Cheers,
Albert


1Password Version: 5.32
Extension Version: 4.4.2.90
OS Version: OS X 10.10.4
Sync Type: Dropbox

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @AlbertC,

    I have bad news I'm afraid. I don't see 1Password ever being compatible with Westpac based on their current security practices. I wish this wasn't the case but it doesn't look good.

    So what is the site doing? Each time you load the page they create a new virtual keyboard mapping. So when you click the A button the JavaScript interprets it as a J for example. If you clicked the A button three times it would translate to JJJ. It's a very simple substitution cipher that changes each time you load the page. Now on large pieces of text a substitution cipher is easily broken due to the frequency of different characters as used in each language. That isn't as much of an issue when your password is limited to 6 characters (which is a different issue altogether).

    The way 1Password works is to fill the field directly, working at the level of the page's DOM. We don't interact with buttons because they're so fragile and difficult to work with. So on a page like this where the submitted password changes on each load of the page and where you're forced to work with buttons we just don't stand a chance.

    I do wish it was better news. I've seen a few sites where they apply a linear transformation to the password as its entered character by character but this one surprises me. It's one of the most basic and earliest ciphers in the history of cryptography and that's before commenting on the maximum password length. I believe there are sensible decisions they can make that will improve security for their customers without awkward interfaces like this.

    I do apologise that we can't current handle Westpac and that I can't offer hope that we would do so at some point in the future :(

  • AlbertC
    AlbertC
    Community Member

    Hi @littlebobbytables thanks for looking into it.

    Let's hope Westpac updates their user interface and makes it more friendly in the future.

    Cheers,

  • AGAlumB
    AGAlumB
    1Password Alumni

    Indeed! We feel your pain! Even if I don't happen to use the same site, I've got plenty myself which are similarly cantankerous. Hopefully they'll listen to you and the rest of their customers pleas for mercy and make things easier on your in the future — and likewise the rest of us who suffer in a similar fashion. :blush:

This discussion has been closed.