|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: User negligence?
At 01:03 AM 7/27/2003, Kandra Nygårds wrote: Not only do they use password authentication, but they use a supposedly secure password policy that effectively renders the password completely insecure.From: "Sean Donelan" <[email protected]> > Unfortunately there are a lot, and growing number, of self-infected PCs > on the net. As the banks point out, this is not a breach of the bank's > security. Nor is it a breach of the ISP's security. The user infects > his PC with a trojan and then the criminal uses the PC to transfer money > from the user's account, with the user's own password. Banks use passwords for authentication? That's what scares me. Personally, I find it terrifying that banks allow such weak authentication as a password for financial transactions. What do I mean? I mean that in my case, my bank requires that I change the password to my online account management website every 90 days. For passwords which are used daily or several times a day, a 90 day change interval can make sense in many circumstances. But since I only login to my banking account once a month, that means that I have to change my password once out of every 3-4 times I use this account. I know how to create a secure password, but I can NOT create a new one every 3-4 uses and then remember, 30 days later, what the most recent password for this one account is. I have many reasons to suspect that my problem is one that most (perhaps all) of the bank's users have - the change interval is too frequent (as compared to use intervals) and so the password is not effectively memorized on an ongoing basis. So, I end up having to do something INSECURE to remember the stupid password. Either I have to create an insecure and "easy to remember" password, or I have to write it down somehow. Now we are back to the root problem, that the user's computer/user's password is now "insecure" and it "isn't the bank's fault" when the user's password is discovered and used without the user's permission. Well, that's BS. The bank created a policy that can not be securely followed! There is more to maintaining a secure password than changing it frequently. The policy has to be on that can be effectively followed by most people! It would be far more secure *in the real world* for the bank to only require that the password be changed once a year and to then have customers securely maintain that password in their heads instead of cached on the computer (a very common practice) or written down (usually on a piece of paper that then is found under the keyboard, another very common practice). But that would *appear* to be a less secure policy to anyone auditing the bank's password policy. It is obvious that the appearance of security is much more important than real security. That's why we can't take nail scissors on airplanes, it's deemed more important to have the appearance of security at the security checkpoint than it is to have actual *real* security on the airplane itself (better doors to the cockpit, better security procedures in the event of a hijack, etc.). We needlessly inconvenience users to create an *impression* that we are serious about security when we are actually accomplishing absolutely nothing. sigh. I keep on not doing enough to remember the stupid password, and today I can't log-in to the bank account. Again. So now I have to have them reset the password. Oh, BTW, this secure policy also has a password limitation of 8 characters, and it only requires 1 non-alpha character. So I can use a supposedly "secure" password - like bananas1 (and then change it to bananas2 90 days later) - but I can't use a password like 4s&7Yaofb4otC (well, *that* one isn't the most secure in the world, but you get the point), because it's too long, even though it's obviously much harder to crack. But that isn't deemed a "fault" in the bank's secure password policy. jc
|