merle_: insecure passwords

Merle (

merle_) wrote,
@ 2008-05-17 07:00:00

Current mood:	disgruntled
Current music:	Sigue Sigue Sputnik, "21st Century Boy"

insecure passwords
Why do financial institutions have the most strict, yet least secure password validation schemes?

Signing up for a free web email account requires the choice of a somewhat cryptographically secure password (number, letter, symbol, 8 characters). Signing up for a financial account where you will put thousands of dollars has insanely weak restrictions. Most places require only letters and numbers. One requires letters and numbers, but there must be a number between two letters (huh? can we say "decreases search space when cracking?"). Only one bank I have encountered allows for symbols. The firm that handled my 401k just three years ago required numbers only, presumably so people could enter their password from phones. Not just that, but your password had to be exactly.. four digits long.

Four digits. To protect my retirement.

This is not thirty years ago, when people rolled their own "encryption" algorithms. There are countless one-way encryption algorithms out there that are considered industry-standard, which exist in libraries for just about every imaginable programming language. None of them (as far as I know) have restrictions that would disallow symbols. So why is it that every time I sign up for an electronic financial thing that my initial reaction is to jerk back and say "no, that doesn't look right, I'm not going there"?

Financial institutions of the world: get your act together. The rest of us have secure rotating PRNG devices and strong encryption. You have money and power, and can obviously force your customer base to comply. Do the right thing, and stop driving the rest of us down into the gutter to chip flakes of stone off of primitive axes.

(Post a new comment)

lurkitty
2008-05-17 02:08 pm UTC (link)

Both my bank and mortgage company employ a multi-tiered system of identification. They give you a username that is a combination of the first four letters of your last name and some numbers. You can't change it. Then they have you choose an icon from their collection, and you choose a password more than six characters long that must have at least one number, at least one lower case letter, at least one symbol and at least one upper case letter.

The login screen first asks for your username. It takes you to a different page that shows your icon and asks for your password. If it does not recognize the computer as one you've used before, it will not even show your icon - it will go immediately to one of three challenge questions. If you answer correctly, you get your icon. You can then enter your password.

But I do get it. I signed up for electronic access to my health insurance carrier the other day and could not use any symbol other than an underscore. My previous 401K handler had four-digit numeric codes. Sheesh!

(Reply to this)(Thread)

merle_
2008-05-17 02:23 pm UTC (link)

The icon thing confuses me. Why do I want an icon of a flag or a block of cheese? What does this buy me? If it's to defeat cross-site scripting attacks, how exactly does it help?

I'm also not too keen on the "recognize this computer" bit. They probably don't use IP address (dynamic for many folks, spoofed when checking from work), which suggests a cookie or other artifact.. which, again, doesn't seem to add very much.

The password scheme at your bank sounds good. I don't like the "this is your username, suffer" bit: that practically forces people to write it down somewhere.

The four digit password thing.. yeah. That really ticked me off. Especially since (in my case) it defaulted to the last four digits of your SSN.. and your SSN was your login! Rugby, that was dumb. A little poking around in the HR filing cabinet and I could have wiped everyone clean.

(Reply to this)(Parent)(Thread)

	lurkitty 2008-05-17 02:30 pm UTC (link)
	It is artifact driven. Every time I do a software update, the artifact disappears, too. I see the username bit as a "we're doing this for your own good" thing. At least it keeps folks from choosing their name. (Reply to this)(Parent)(Thread)

merle_
2008-05-17 02:36 pm UTC (link)

I suppose the username is good in that sense, but if I'm going to be "as84fn32" in one place and "wrt543k9" in another, those names are going straignt onto a piece of paper and into a file -- making them accessible to random people. If I get to choose my username, maybe I'll be creative, which means the only way to guess what I chose would be to intercept my packets (or look over your shoulder). And if they can intercept your packets.. game, set, and match.

(Reply to this)(Parent)

	fub 2008-05-17 07:13 pm UTC (link)
	With my bank, I don't get to choose my username, but I do get to choose my own password -- which has to have a combination of letters and numbers. The password policies seem reasonable to me. So then you're in... But if you want to transfer funds out of the account(s), an five-digit code is sent to my mobile phone via SMS. That makes it suitably two-tiered in my mind. (Reply to this)(Thread)

	merle_ 2008-05-18 01:50 am UTC (link)
	That's an interesting combination of modes of access. I like that model. It presumes you have a mobile, of course, but is a very nice way to ensure that just stealing a password will not allow someone to move money from your account. (Reply to this)(Parent)(Thread)

	fub 2008-05-18 07:29 am UTC (link)
	If you don't have a mobile, you can get a list of pre-generated codes. Slightly less secure, I guess -- but who doesn't have a mobile these days? There's actually a bank (not mine) who has become a mobile operator -- specifically with the intention of making it possible to do mobile banking through their network. (Reply to this)(Parent)(Thread)

	merle_ 2008-05-18 03:32 pm UTC (link)
	Banks being phone companies.. not my cup of tea, but I can see why they would do that. (Reply to this)(Parent)

	grenacia 2008-05-17 10:14 pm UTC (link)
	I HATE it when passwords have character limits. I usually make 9-12 digit passwords that are combinations that make sense only to me. It's much harder to think of something secure but rememberable at 4-6 digits. (Reply to this)(Thread)

	merle_ 2008-05-18 01:52 am UTC (link)
	I find the types of characters allowed to be more restrictive than the length, but you're right that six or fewer characters makes for a pointless password. Four is brute-force hackable in under a minute. Why even bother with a password? (Reply to this)(Parent)(Thread)

cellio
2008-05-18 08:17 pm UTC (link)

Same here -- I have several password schemes (at varying levels of security, 'cause I really don't care if someone impersonates me to the NYT web site but I care deeply about my money), and almost all of them rely on punctuation. And that would be the full suite, not just being able to use underscores. Bah.

I think it was Bruce Schneier who said something like: never let it be said that people do not learn anything about security. The most common password is no longer "password". It is "password1".

(Reply to this)(Parent)(Thread)

merle_
2008-05-18 08:56 pm UTC (link)

If it was Schneier, he was definitely correct. The problem being that once the system forces people to use "pass#w0rD1", they're going to start writing it down. (not that they don't already)

Even if it's in a doubly encrypted file, I really hate the notion of having to write down my account names and passwords. It's just wrong. But more and more it's becoming necessary as well.

(Reply to this)(Parent)

(Deleted post)

merle_
2008-05-18 01:55 am UTC (link)

So suddenly I have accounts I must remember, which cannot be written down, and which do not match any sort of memory aid method I normally use.

Yes. It tempts me to simply not do anything financial online. But these days it is a burden not to be able to, as some banks charge for face-to-face interactions, and if you're trying to time the stock market, mailing a check in doesn't work very well...

Maybe our next president will be smart enough to push for a banking password reform bill. Ha! Yeah, right...

(Reply to this)(Parent)

	kmg_365 2008-05-19 12:52 pm UTC (link)
	Perhaps they figure that people are going to write their login ID and password on a Post-It Note and stick it to their computer anyway, so what's the point? :-D (Reply to this)(Thread)

merle_
2008-05-19 01:52 pm UTC (link)

True, but in that case, why the bizarre restrictions? "You can only use letters and numbers.. and have to use one of each.. but your password has to be exactly eight characters long." Huh? It's like..

..like these banks are interfacing with ancient legacy systems that can't handle symbols. *sigh* I think I answered my own question right there. "Please, sir, would you mind selecting a password? Oh, no, don't try to type it in. Punch holes in this punchcard instead. We'll feed it in during tonight's batch upload."

(Reply to this)(Parent)(Thread)

kmg_365
2008-05-19 02:18 pm UTC (link)

like these banks are interfacing with ancient legacy systems that can't handle symbols.

I would guess that quite a few older banks are using a m/f back-end with COBOL as the programming language.

It was a real trip back to the 80s when I started working with the COBOL/DB2 people here and they told me that all names needed to be <= 8 characters, or the width of a line of code had to be < 77 bytes.

(Reply to this)(Parent)(Thread)

	merle_ 2008-05-19 04:21 pm UTC (link)
	Fortran-77 was a blast, too. The first character of your variable name determined its datatype... Stupid y2k. Why didn't it scrub those systems from the face of the earth? (Reply to this)(Parent)(Thread)

	kmg_365 2008-05-19 04:43 pm UTC (link)
	The first character of your variable name determined its datatype Which is a feature that they let you use in the older versions of Visual Basic. I forget the syntax, but it allowed you to say "any variables that begin with such-and-such is type so-and-so." Makes about as much sense as variables named thisVar and thatVar. (Reply to this)(Parent)

Username:		Create an Account Forgot your login? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…