Prudential PIN must be exactly 8 Characters

This discussion was created from comments split from: How do I use SAML in conjunction with 1Password?.

Comments

  • wkleem
    wkleem
    Community Member

    Prudential, unbelievably, requires a ID + 8 character PIN + OTP from the phone.

    "Important:

    • The PIN you choose should be unique to you and easy to recall.
    • Do not reveal or share your PIN with anyone.
    • The PIN you choose must be easy to recall.
    • Change your PIN immediately if you suspect that it has been exposed to others or you suspect unauthorised access.
    • The PIN you choose must be exactly 8 characters.
    • The PIN you choose should comprise of uppercase and lowercase alphanumerics.
    • No staff of Prudential should ever ask you for your PIN.
    • The PIN you choose must not be your current PIN or have been used in the last 5 PIN changes.
    • The PIN you choose must not be the same as/or the reverse of your NRIC / Passport number."
  • matthew_ag
    matthew_ag
    1Password Alumni

    Hey @wkleem,

    I hope you don't mind, I split your comment out into it's own thread from the previous thread as it was on a different topic.

    The PIN you choose must be exactly 8 characters.

    I really hope common sense security practices will be taken on by these financial institutions. Eight characters for a password is truly ridiculous. Things like this have to be brought to their attention. Hopefully they will hear their more security conscious customers.

    Best regards,
    Matthew

  • wkleem
    wkleem
    Community Member

    Thanks for the reply. Was hoping that 1Password could somehow work around the limitation but it doesn't appear possible. They must think that adding OTP to a poor solution actually improves security?

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    As best I can tell, one-time passwords best help those that have a tendency to re-use passwords or pick ones that aren't considered strong by password cracking standards. So even in this instance it probably can't hurt. The frustrating part is any weakness in the password entropy is purely on their questionable password requirements.

    We won't let you pick a really strong password, have TOTP instead :smile:

    Sigh.

This discussion has been closed.