Stupid Bank Password Rules
Permalink |So I go to log onto my bank’s website, and they inform me that I have to enter in a new password. Never mind the fact that I doubt that this is going to “improve” my security… if someone had obtained my password before, why can’t they just use the same method again?
Anyway, I enter in a password using a “hash” that I can remember that would be relatively hard to crack via common methods like a dictionary attach or using personal information (that is, it’s not a function of my street address for example). However, here’s what came back from the bank…
bq.. The new password must include at least 1 letter AND at least 1 number AND at least 1 character that is not a letter or a number.
p. What? Why don’t they just say something like, “Please create a password so cryptic that you will never remember it, so you will have to write it down, so that someone can easily find it.” Fark!
Long, non-memorable password make things _less_ secure, not more.
Personal security in general is just a joke. With just the flimsiest amount of someone’s personal information you can obtain access to just about anyone’s financial accounts. In addition, I’ve found that financial institutions don’t really take security seriously at all. For example, as part of a “security upgrade” a while back, I learned that I could have one of my financial institutions ask for a verbal password before any phone-based transaction could proceed. Sounded good to me. I called them up, set up a password with them, but found that upon calling back a few weeks later, I was able to proceed with a phone-based transaction without the prompt for the password. This was not unique; I tried something similar with my credit card company only to have a similar “security measure” disappear from their system too. Whatever.
Personal financial-institution security is an oxymoron… but at least no one will be able to crack my bank’s new password… including me.
March 14th, 2006 at 10:00 am
I hate that! I’ve been using a Javascript bookmarklet for generating more sensitive passwords (http://labs.zarate.org/passwd/). It takes a “master” password that you enter into a Javascript-generated dialog box and does an MD5 hash with that master password and the domain of the website you are accessing. It then truncates it to a specified length. Heck, even I don’t know my passwords on several of the sites I use; I just know it gets generated correctly every time. Works great, gives you unhackable passwords that are different for every site and has both the bookmarklet for when you’re using your own browser and a web-based generator for when you’re on the road. It has, however, the same problem you encountered - the generated passwords don’t always conform to some stupid requirement from the site’s owner. I can pretty much rely on a letter and a number being generated, but upper case and special characters? I don’t think so!
The other password thing that gets me is Starwood’s common use of the password for both the web and for the phone. When I make a reservation at a Starwood property over the phone, they ask for the password I created on the web. Somehow, it just doesn’t feel secure having the CSRs have access to my password. One could argue that there’s not much that an unauthorized user could do on the Starwood site, but most people use the same username and password for most of the sites that require it, so theoretically, a savvy CSR could go to Paypal or a banking site and try the same combination. Even at Y!, CSRs can change passwords if the user has the right security question answers, but they can’t ever see the current password.