watervole: (Bah)
Judith Proctor ([personal profile] watervole) wrote2007-09-25 01:18 pm
Entry tags:

Yet more passwords

I cannot now buy a train ticket online without having to register my debit card with a new validation scheme from Visa.  Of course, allowing me to use my pin number as the password would be too rational and easy.

It has to be a mixed alphanumberic string at least six characters long.

And I had a letter in the post today from Alliance and Leicester business banking (whose online system is so secure that I get logged out every other time I use it because I've typed in a password character incorrectly while trying to recall if 7 is the 6th digit or the 7th one of my magic number)  THey're going to be adding an extra level of security.   Extra?  I already have to put in a company ID, a log on ID, and not one, but two, long complicated passwords.

drplokta: (Default)

[personal profile] drplokta 2007-09-25 12:28 pm (UTC)(link)
Allowing you to use your PIN as the password would be a big security risk. You shouldn't use your card PIN anywhere else.

And the magic number thing is so that someone who is covertly running a keylogger on your machine can't log into your account -- it'll probably ask for a different digit, and they won't have it because you haven't typed it.
ext_15862: (Default)

[identity profile] watervole.livejournal.com 2007-09-25 01:37 pm (UTC)(link)
I wouldn't mind the magic number so much if I didn't have to remember two of them for the one account.

The basic problem is that the more passwords I have, the more I have to write them down - and that's a bigger risk than occasional duplication.

I'm running out of mnemonics that won't mean anything to other people.

[identity profile] jthijsen.livejournal.com 2007-09-25 08:06 pm (UTC)(link)
Can't you use the same password for everything? Add numbers when needed.
ext_15862: (Default)

[identity profile] watervole.livejournal.com 2007-09-25 09:01 pm (UTC)(link)
Too dangerous to use the same password too often. I only do that for stuff that doesn't involve money.

[identity profile] makyo.livejournal.com 2007-09-25 12:30 pm (UTC)(link)
They're going to be adding an extra level of security.
Well I'm afraid we customers have to put up with this sort of thing with the increasing levels of identity theft prevalent these days. It's irritating, but it's a necessary price we pay in return for the freedom to have bank employees leaving laptops full of our personal and account information lying around on buses or trains. Or something like that.
ext_51095: Gaspodia (Default)

[identity profile] gaspodia.livejournal.com 2007-09-25 12:36 pm (UTC)(link)
It's this kind of obsessive security that ends up rendering itself useless, as frustrated users like us end up either writing it all down somewhere or typing all the details into an easily accessible text file. One good (6-8 characters long and chosen) password and pin combo is more than enough security.

Natwest haven't got much else right, but their online banking systems is easy to use with effective yet unobtrusive security.
drplokta: (Default)

[personal profile] drplokta 2007-09-25 12:41 pm (UTC)(link)
I don't think one password was enough for the MediaDefender employee who used the same password for accounts on pirate TV sites and Gmail, leading to 700MB of highly confidential and embarrassing internal company mail being spread all over the Internet.

And actually, writing passwords down on a piece of paper is not a particularly bad idea, as 99.999% of black-hats won't be able to get access to it. Don't put them in a text file, though.
ext_51095: Gaspodia (Default)

[identity profile] gaspodia.livejournal.com 2007-09-25 01:41 pm (UTC)(link)
One overall password is certainly a bad idea. I never reuse my work passwords and have unique ones for my bank and other "secure" sites, but generally reuse a small number of low level passwords for forums etc. Each password I use has been chosen by me though, so I have no problems remembering or using them. My personal pet dislike is a lengthy passwords issued to me (usually for really low level stuff!) that I am unable to change.

Having said that, I'm afraid I have in the past been guilty of issuing alphanumeric case sensitve hexadecimal passwords to work colloues who have *really* irritated me enough to deserve it.

[identity profile] jthijsen.livejournal.com 2007-09-25 08:15 pm (UTC)(link)
The beauty of passwords is that you can always change them. I do use one password for everything (adding numbers to the end if they insist) and intend to simply change every single one of them if the password ever gets used by a third party (that I know of, of course). I wish 'em good luck trying to get much out of my credit card, I've kept the limit low on purpose.

That being said, my bank doesn't use passwords, I have to put my card and my pin number in a small calculator (which they oh so cutely call a numculator) and then enter a number that is shown on screen which changes every time. The resulting number on the numculator has to be entered on the screen again and that's enough to get me logged in. I have to repeat it when I want to transfer money. Easy enough to be usable, and as far as I can judge still safe enough for everyday use. And I do use windows.
ext_15862: (Default)

[identity profile] watervole.livejournal.com 2007-09-25 01:41 pm (UTC)(link)
Yes, I can cope with the nat west site. For some reason, having the number and the word separate makes it easier for me.

I can remember the nth letter from a word much more easily than the nth digit from a number. I think my brain confuses the position with the actual digit.
ext_12692: (Default)

[identity profile] cdybedahl.livejournal.com 2007-09-25 01:04 pm (UTC)(link)
Getting good security is hard. The people you complain about here all seem to have missed the crucial point that a secure solution must be easy to use, or people will stop using it or circumvent it.

I use two different Internet banking systems, and they both have acceptable security solutions (one uses a separate code box, another a client cert and a special Java plugin). I still wouldn't dream of using either from a Windows machine...

[identity profile] dumain.com (from livejournal.com) 2007-09-25 07:07 pm (UTC)(link)
Keeping stuff secure is tricky. My domain name provider recently redesigned their whole site with the result that their secure payments page now references a couple of files over http. Discovered this when I wanted to update my credit card details and my browser gave me a lovely big red "untrusted content" warning (well ok a little red broken padlock).

As it happened not hard to get a secured page but annoying