I love this post, but must point out something about banks and passwords:
Malware trojans don't care about your password.
I don't know why people care about 'password cracking' when it comes to their bank accounts. Please watch "Modern CrimeWare Tools and Techniques: An Analysis of Underground Resources" (http://www.youtube.com/watch?v=zj4VkCB6obI) and your jaw may drop. TL;DW: Bank account sessions are automatically detected and wire transfers happen immediately to shell accounts. Login accounts are detected and sent to databases at C&C servers. People who know nothing about computers can generate a custom trojan to drive-by infect most computers.
Probably 95% of the time, if your bank account gets owned, it's not because someone cracked your magical password. It's because trojans are incredibly sophisticated and will take your money at the moment you log in, all undetected, with no fancy MITM or phishing or SSL cert faking.
Yeah yeah, they got your password and because it's unique now they won't get into some other account of yours. But carders don't care about your other accounts. You're one in a million people owned by their trojan. They'll get the other accounts once you log into them.
There is a (mildly) compelling reason for every bank to have a stupid password rule which is mutually incompatible with every site in existence: it means that compromising that other site's identity:password dictionary and then running it against your bank results in zero successes. Regular users reuse passwords given the opportunity to do so, and most of them will happily cough up their bank password to, quite literally, any site on the Internet.
There's got to be some weird game-theory solution for "Maximize for security while simultaneously minimizing the sum of all accounts on the Internet which have a password that could possibly collide with a valid password on this site."
As someone that has been the lead for many large banking systems, I can say your intuition on this one is off. Banks enforce these rules because some internal security group set the rule a while back and thats what they use. Many smaller banks use whatever password scheme the banking software service provider has as its default. Its just bureaucratic deluge. Its certainly reasonable to pontificate that this deluge results in safety per your rational. But I have never seen a study that shows this to be so. It may well be that many set their banking password as the first account they ever used on the Internet and then reuse this same password for subsequent systems.
I think using the password alone in the bank is a stupid idea in the first place. If all that stands between my dollars and miscreants is a few characters - this is careless to say the least. Think trojans/keyloggers.
My bank gives me a small card reader (not connected to PC), where I insert my debit card and need to put in my card pin. This gives a one-time code which I enter together with my password to login.
However, this is not all - in order to do anything meaningful (aka transfer money), I need a confirmation code, which is done by me typing into the little machine the amount, part of the account number being credited, and of course my banking pin to begin with. So, I effectively sign the transaction, and having the reader totally offline makes me somewhat confident in its security even if my linux laptop were compromised.
Of course all of this needs to be matched by the proper security rules on the backend, which, given their cluefulness with frontend, I trust them to have.
p.s. That said, indeed now I remember that the password rule they had is kinda stupid. But I have only one bank and I can make the exception for them, given that they have done their homework otherwise.
p.p.s. and no, I would not like to have my bank operations protected by the unlocked private key - the added convenience in this case is not worth the risk at all.
That's an interesting idea. Unfortunately it looks like you can comply with all the rules in his banks section by having an 8-digit password, which is conveniently the number of digits in a birth date.
So presumably they don't currently optimise for mutual incompatibility. Quick, file a patent. :)
I don't understand this whole never reuse passwords nonsense.
I have unique passwords for my email accounts, github, facebook, twitter and bank accounts. I only need to remember about 8 passwords. They are all pretty memorable. I usually write them down gasp. I then manually type them in until I remember them. I then rip the paper in two putting half in recycling and half in the trash.
For every other site I use 1 of 3 passwords. Why? Why not? I mean seriously, if a site contains no personal information apart from your email why do you need a separate password for it?
I only use unique 10+ character long passwords to guard things that are worth protecting. If a forum account, stack overflow account etc gets hacked.. oh well. I will make another. It really doesn't matter.
I would use 1 password for all non-critical sites but password restrictions means I need 3.
I did what you do until one of the accounts I had with a "shared" password actually got compromised, and then I switched to generating unique passwords for every site.
I actually have to think less about passwords now: instead of trying 1-3 passwords before figuring out which one it was I used at a particular site, I just generate using the site name, no thought involved.
Mainly, the reason for switching was the feeling of insecurity I experienced on discovering that someone else had accessed my account, even though it was an account on the non-essential list. I didn't even know what other sites were using that password, so I ended up deciding to switch passwords everywhere. A few accounts into that process, I just got fed up and decided to go back, switch strategies completely, and forget about passwords as much as I possibly could.
I wrote my generator both as a python script on the commandline and as a javascript web app I host on my domain, so I can generate passwords without access to my computer.
But what happens if one of those sites lose their user database? Your other accounts would be compromised and you would have to change your passwords in every site you registered with the same password.
I was going to write a blog post about this, comparing one of those 3 passwords to the lock on your toolshed in your backyard.
Obviously you want to protect your house against break-ins, so you spend money on a great security system. But people would think you were insane if you spent an equivalent amount to lock up your old lawnmower, charcoal grill, and gardening shears.
Google and my bank are my house; those passwords are secure. The password to my MySpace account? If someone discovered it, the biggest annoyance would be finding out which of my friends still have accounts.
Personal information isn't the only thing worth protecting; some accounts would take a long time or even money to recreate if they were banned. Movies ranked on recommendation engines, games bought on Good Old Games, domains and hosting accounts from different companies, invite-only accounts, etc.
For the 10 minutes it took me to write the one-liner that generates passwords from a fixed seed and the domain passed through an hash, it was certainly worth it.
+1 I try to reach a middle ground in terms of security vs convenience. I have 5 different passwords and I re-learn one at a time when I want to change them.
How's passwords an unsolved problem for any power-user? There's a ton of password management software out there that does /not/ require you to copy-paste passwords around†.
For me, kwallet & ssh public keys all the way. Kwallet makes passwords available to all programs I authorize. Authorize either on case-by-case basis, or once forever. If you really don't want to bother with KDE and/or want to be easily portable across everything POSIX, go for http://en.wikipedia.org/wiki/Factotum_(software) -- it has a simple protocol.
I remember literally 5 passwords:
home computer, work computer, home wallet, work wallet, auxilliary bank account (just in case something happened to all of my computers at once).
Actually, scratch that, I can /type/ those passwords, but I don't really know their content.
† using ^C^V on passwords is a bad idea anyway; (depending on browser) websites can read contents of your clipboard. And check your recent browsing history. 2+2=...?
keepasss is a better solution; it does the same auto-entry thing, but stages part of your password through the clipboard and part through direct keyboard entry. Works everywhere (even on mac and linux) and is far more usable.
My passwords are all generated by mashing the keyboard, and are stored in a PGP encrypted file in my Dropbox. When I want to add a password to that file, I just edit it using Vim. Vim automatically handles decryption/encryption because I have the "vim.gnupg" plugin installed. When I want to know a password, I type "password foo", where foo is a substring of some identifier I've used, eg the domain name of the site. It searches my encrypted text file for a line containing that identifier, and selects the last string of non-space characters on that line as the password. It then displays the password, and also copies it into the clipboard. It waits for 10 seconds, and then overwrites the clipboard with it's previous value. My "password manager" is this tiny script: https://grepular.com/password.pl_txt
I'd much rather rely on the security of GnuPG for my password store, than Keypass or Lastpass etc. Dropbox provides me with backup and syncing capability for my password store.
There's password generators (usually within most password managers). Far more better because even mashing the keyboard produces patterns. I bet some of your starting characters are on the left side of keyboard for example and you never use capitals or symbols.
There exists a rather elegant alternative to passwords for authenticating a user's identity - it's been around for a while but the user barrier is too high: FOAF+SSL.
The idea is you generate an X.509 cert and install it in your browser(s). You then stick the pubkey in a section of your own publicly hosted FOAF file (hosted by yourself or by an FOAF hosting service) - then when you "visit" a site that requires you to authenticate all you have to do is give it the location of your FOAF file, the browser will prompt you to select which cert you have installed that you want to use. (there are cool things you can do with remembering a user too)
This solution is elegant in two ways - no password entry, it uses a cryptographically secure certificate for authorization (much more secure than a password hash), the application in question can also pull/cache YOUR FOAF DATA (name, address, alias, whatever you have in there) so you NEVER HAVE TO FILL OUT A PROFILE FORM AGAIN.
That's effing cool, man. Why don't we see it? Because it's easier to use Facebook Connect and get the same stuff nowadays then it is to try and educate internet users on A) what is a FOAF file? and B) where/how do you generate it and host it when Facebook basically has all of that already (I know, once is personally owned, the other is owned by Facebook but we can't always control the ebb and flow of internet mass consciousness even if something is "more elegant" or "stupidly better").
Creating a password is not a job that users are good at.
Remembering passwords is not a job that users are good at.
Solve this problem for your users.
It's not super tricky. Make up a couple of new kind of input types. Say, input type=trade-keys. When you see that on a page, create a private-public key pair and swap it with the server. Take the private key you made and the public key you got and encrypt them using the user's passphrase---the only password a user should have. Store that locally and make a back up to your cloud service in case the user wants to log in with another computer or the user loses their hard drive somehow.
BrowserID (https://browserid.org/) does exactly that. Once implemented in a browser, it effectively turns authentication into a key exchange with the browser.
Not only browsers aren't solving the problem, they actively make their users' lives more difficult by obeying autocomplete="off" set by overzealous webmasters. I had to hack firefox to save a password to my yahoo account in it -- crazy.
I had to register my Apple ID. Apple's site disallows copying and pasting in the password field. I really REALLY hope this isn't a trend, because I use strong passwords for everything, and these 128-bit monsters will make your hands explode if you try to type them in manually.
It blew my mind because a coder had to burn some calories code the site specifically to disable copy/paste. What kind of UX is that?
I have a few bank accounts for my company (checking/investments/etc.) which each require different logins. That's fine.
However, the security questions for a business account are inextricably tied to an individual. Favorite animal? High school mascot? Where were you born?
These are all questions that are pretty easy to crack for an individual account, so they provide next to no added security. Furthermore, for a business account, they're just an added layer of frustration. When I took over the accounts, I had no idea how the previous president answered the questions, since they're all personal to him, not our company. Furthermore, when someone else at our company needs to access our accounts, they need to know the answer to my security questions... which are the same ones I have to use on my personal bank accounts!
In the end, it's so much of a pain to remember the answer to these questions that when I'm randomly asked to verify, I'm just as likely to call customer support and ask them to reset them. So what does this mean? I call customer support and give them
1. My name
2. My company's name
3. Our username
4. Our bank account name
5. Our tax ID number or the last 4 digits of the social-security number on the account.
...most of which would be pretty simple for a would-be attacker to obtain. And let's face it, corporate accounts at banks are much more likely to be the targets of individualized attacks, rather than random attacks over an array of accounts.
tl;dr: For business accounts, security questions actually decrease security.
....what kind of crack are you smoking? Can I have some?
So you called customer support to reset the password. You could call them whether or not there were personal security questions. Nothing changes.
OTOH the personal security questions ensure only one person can access the account (when attempting a normal login) instead of any employee at the business. Passwords might be shared but security questions probably wouldn't be (assuming only one person is accessing the account).
The questions are not intended to be impossible to crack. They're an additional data point to verify authenticity. The assumption is that you won't keep the name of your favorite animal next to your password (wherever it is that someone got your password from), thus it's an additional attack vector someone would have to account for. Not impossible, but adds difficulty.
tl;dr: added authentication prompts add to attack complexity, and you're on crack.
[p.s. you might want to change your bank account password and challenge questions when an employee who had it leaves. could be helpful.]
In my mind, someone (browser vendors? security community?) should create a standard for handling interactions to do with passwords. Covering password length, characters allowed, characters required, case sensitivity, et cetera. Or perhaps a grading mechanism. Give it a catchy name and get some noted security researchers and clueful businesses to endorse it. You could even have a browser extension which points out to users which sites are handling passwords poorly or in an inconvenient way.
With respect to the issues with banking institutions: why not take it up with your congressperson, or write to the FTC and/or SEC? The FTC is charged with consumer protection, and this seems directly in line with that. Again, if there was a grading tool, the regulators could apply that.
I've often wondered to what extent my own password mnemonic "system" is either sufficiently secure or woefully misguided.
Each of my passwords is made up of the same eight-character non-dictionary word, plus the alphabet-position numbers of the first three characters of the name of the site I've made the password for (A -> 1, B -> 2, that old trick).
So for example, say the common word I was using in my passwords was "pizzadog", then my Hacker News password would be "pizzadog813" (H -> 8, A -> 1, C -> 3)
I admit my goal is convenience, as it's clearly only one step up from using the same password for everything, but with the added numbers making me feel a little better in the event of one of them being compromised. But is there any reason why this approach might be considered a bad idea?
Now the bad guy has to crack two sites which you register on. (Or just make you register on two of his sites). Bam, all your passwords are effectively 3-letters long.
This scheme is pretty common, so yes they would think of that. They might not try and figure out the alphabet position thing, since the password is laughably easy by now.
Or, they have you register on just one site they control, and figure out the substitution trick. They now have all your passwords.
Now that you made the post it's even worse: we all know your password here is 8 lowercase characters + 813. If that's really true, I recommend changing all your passwords everywhere, NOW.
It's an extremely, extremely tiny step up from having the same password everywhere.
Public key cryptography. I don't know if it's the simplest solution, but it does fix the problem. You have a private key, which you keep SUPER safe (e.g. encrypted with a strong passphrase), and you distribute your public key to anyone who wants to be able to verify your identity.
I use KeePass myself and because of its awesome auto-type/global hotkey I rarely need to go open it and look up credentials myself. Just add the windows' title to the auto-type list of the corresponding entry and you're off the hook.
> You know those SSL certificate warnings? You know how you always ignore them? Yeah, you shouldn't do that. They're the only warning you get that someone might have hijacked the connection to your bank or whatever. It's a shame that browsers have trained most of us to ignore the warnings, because they're the only thing making SSL useful.
It's not just browsers - here's an example of a budget web / email host telling users to ignore the warning:
> When logging in your browser may warn about an invalid or untrusted SSL certificate. This is normal and can safely be ignored - the communication is fully encrypted despite this warning.
People only using one computer (that no-one else uses) have nice browser based password managers. Software like Keepass or Password Safe are handy, but not great if you use more than one computer (especially if you use more than one OS.) Keeping databases both synchronised and backed-up becomes tricky. And some companies / public computers won't allow you to use such software.
Trusting my passwords to the cloud just feels weird and unsafe.
Keepass is cross platform. Not sure about iOS devices but I use it across windows, linux and my 2 android devices. Put the kbdx file in dropbox (you also have dropbox on all platforms), set keepass to autosave on every DB change, job done.
[i guess you are still keeping your passwords in the cloud if you keep it in dbox, but the password DB is encrypted).
Lots of fail here, but I'm surprised no-one has mentioned www.ironkey.com yet (I just did). I've been using one for a couple of years (admittedly mostly on Windowses) and was so impressed I bought a couple more for my partner, family members etc. The identity manager does a reasonably good job, and the two-factor authentication works well for Ebay / PayPal. I use the on-board browser, which I keep as my "secure" / trusted-sites-only browser (where trusted mostly means "can cause money to change hands") or the integration with IE for some banks. The only thing that doesn't work automatically is banks asking for random digits (from a 16+ character random string, yeah, thanks). For that I use the ability to store notes alongside account credentials in the identity manager. IronKey also provide a degree of device management on their website, which is maybe the obvious weak spot - the credentials and checks needed to log on to their site WITHOUT having the device. That sort of thing is maybe best written down and stored with a will in a lawyer's safe - it's a worst-case-scenario if you need it.
Ok, SSH agent is fantastic, but why it is not used to log to websites? Is it so complicated to paste my public key to some textarea during account creation at any website? What is the reason that no site is using this?
Personally, I use Keepass over Dropbox. I have my latest passwords available on any device I use. So if my phone and my computer burns up in a fire, I can still access my passwords from anywhere I can securely log in to Dropbox and my safe. If anyone hacks Dropbox, they will still need my safe key. If I lose Internet access, I can still access all but the most recent password changes.
I wish banks in the United States started offering two factor authentication. If I want to log into my bank (Swiss bank) I input my card number, I then get a one time code from my bank, I insert my pin card into my card reader (not connected to the computer), I type in my pin number, I then type in the code I got from my bank. What I get back is another number that I then type into the browser field.
I am now logged into my bank. Now each time I try to do anything with my money (move it from checking to savings, or from checking to my dad, or savings to checking, or to investing) I have to insert my card, enter my pin, enter the number and give my bank the number that is generated.
That is secure. WAY more secure than what I currently have with BoA, ING, WF, First bank, Chase, and Capital One.
I love how LastPass isn't the solution because ... "it's a computer program".
What kind of Luddite computer programmer is against using computer programs to solve their problems? Yet is fine with using SSH keys?
The argument of bloat is garbage -- you can utilize LastPass bookmarklets at the cost of exactly 1 bookmark in your browser. That adds a 1K bookmark and a very small amount of JavaScript to the page if and only if you utilize it.
Password certainly are painful, and our whole goal at LastPass is to make it easier. We'd be happy to help make other scenarios people are experiencing better, we've looked at handling ssh a number of times (putty in LastPass for Applications for example) -- anyone have a preference for how we tackle that next?
[+] [-] peterwwillis|14 years ago|reply
Malware trojans don't care about your password.
I don't know why people care about 'password cracking' when it comes to their bank accounts. Please watch "Modern CrimeWare Tools and Techniques: An Analysis of Underground Resources" (http://www.youtube.com/watch?v=zj4VkCB6obI) and your jaw may drop. TL;DW: Bank account sessions are automatically detected and wire transfers happen immediately to shell accounts. Login accounts are detected and sent to databases at C&C servers. People who know nothing about computers can generate a custom trojan to drive-by infect most computers.
Probably 95% of the time, if your bank account gets owned, it's not because someone cracked your magical password. It's because trojans are incredibly sophisticated and will take your money at the moment you log in, all undetected, with no fancy MITM or phishing or SSL cert faking.
Yeah yeah, they got your password and because it's unique now they won't get into some other account of yours. But carders don't care about your other accounts. You're one in a million people owned by their trojan. They'll get the other accounts once you log into them.
[+] [-] patio11|14 years ago|reply
There's got to be some weird game-theory solution for "Maximize for security while simultaneously minimizing the sum of all accounts on the Internet which have a password that could possibly collide with a valid password on this site."
[+] [-] jhancock|14 years ago|reply
[+] [-] ay|14 years ago|reply
My bank gives me a small card reader (not connected to PC), where I insert my debit card and need to put in my card pin. This gives a one-time code which I enter together with my password to login.
However, this is not all - in order to do anything meaningful (aka transfer money), I need a confirmation code, which is done by me typing into the little machine the amount, part of the account number being credited, and of course my banking pin to begin with. So, I effectively sign the transaction, and having the reader totally offline makes me somewhat confident in its security even if my linux laptop were compromised.
Of course all of this needs to be matched by the proper security rules on the backend, which, given their cluefulness with frontend, I trust them to have.
p.s. That said, indeed now I remember that the password rule they had is kinda stupid. But I have only one bank and I can make the exception for them, given that they have done their homework otherwise.
p.p.s. and no, I would not like to have my bank operations protected by the unlocked private key - the added convenience in this case is not worth the risk at all.
[+] [-] jasondavies|14 years ago|reply
So presumably they don't currently optimise for mutual incompatibility. Quick, file a patent. :)
[+] [-] VonLipwig|14 years ago|reply
I have unique passwords for my email accounts, github, facebook, twitter and bank accounts. I only need to remember about 8 passwords. They are all pretty memorable. I usually write them down gasp. I then manually type them in until I remember them. I then rip the paper in two putting half in recycling and half in the trash.
For every other site I use 1 of 3 passwords. Why? Why not? I mean seriously, if a site contains no personal information apart from your email why do you need a separate password for it?
I only use unique 10+ character long passwords to guard things that are worth protecting. If a forum account, stack overflow account etc gets hacked.. oh well. I will make another. It really doesn't matter.
I would use 1 password for all non-critical sites but password restrictions means I need 3.
[+] [-] krig|14 years ago|reply
I actually have to think less about passwords now: instead of trying 1-3 passwords before figuring out which one it was I used at a particular site, I just generate using the site name, no thought involved.
Mainly, the reason for switching was the feeling of insecurity I experienced on discovering that someone else had accessed my account, even though it was an account on the non-essential list. I didn't even know what other sites were using that password, so I ended up deciding to switch passwords everywhere. A few accounts into that process, I just got fed up and decided to go back, switch strategies completely, and forget about passwords as much as I possibly could.
I wrote my generator both as a python script on the commandline and as a javascript web app I host on my domain, so I can generate passwords without access to my computer.
[+] [-] oozcitak|14 years ago|reply
[+] [-] pavel_lishin|14 years ago|reply
Obviously you want to protect your house against break-ins, so you spend money on a great security system. But people would think you were insane if you spent an equivalent amount to lock up your old lawnmower, charcoal grill, and gardening shears.
Google and my bank are my house; those passwords are secure. The password to my MySpace account? If someone discovered it, the biggest annoyance would be finding out which of my friends still have accounts.
[+] [-] icebraining|14 years ago|reply
For the 10 minutes it took me to write the one-liner that generates passwords from a fixed seed and the domain passed through an hash, it was certainly worth it.
[+] [-] bmuon|14 years ago|reply
[+] [-] dexen|14 years ago|reply
For me, kwallet & ssh public keys all the way. Kwallet makes passwords available to all programs I authorize. Authorize either on case-by-case basis, or once forever. If you really don't want to bother with KDE and/or want to be easily portable across everything POSIX, go for http://en.wikipedia.org/wiki/Factotum_(software) -- it has a simple protocol.
I remember literally 5 passwords: home computer, work computer, home wallet, work wallet, auxilliary bank account (just in case something happened to all of my computers at once).
Actually, scratch that, I can /type/ those passwords, but I don't really know their content.
† using ^C^V on passwords is a bad idea anyway; (depending on browser) websites can read contents of your clipboard. And check your recent browsing history. 2+2=...?
[+] [-] lubutu|14 years ago|reply
[+] [-] mike-cardwell|14 years ago|reply
Copying and pasting passwords about is fine, as long as you don't leave them in the clipboard after you've finished with them.
[+] [-] saulrh|14 years ago|reply
[+] [-] mike-cardwell|14 years ago|reply
I'd much rather rely on the security of GnuPG for my password store, than Keypass or Lastpass etc. Dropbox provides me with backup and syncing capability for my password store.
[+] [-] Joakal|14 years ago|reply
[+] [-] Ixiaus|14 years ago|reply
There exists a rather elegant alternative to passwords for authenticating a user's identity - it's been around for a while but the user barrier is too high: FOAF+SSL.
The idea is you generate an X.509 cert and install it in your browser(s). You then stick the pubkey in a section of your own publicly hosted FOAF file (hosted by yourself or by an FOAF hosting service) - then when you "visit" a site that requires you to authenticate all you have to do is give it the location of your FOAF file, the browser will prompt you to select which cert you have installed that you want to use. (there are cool things you can do with remembering a user too)
This solution is elegant in two ways - no password entry, it uses a cryptographically secure certificate for authorization (much more secure than a password hash), the application in question can also pull/cache YOUR FOAF DATA (name, address, alias, whatever you have in there) so you NEVER HAVE TO FILL OUT A PROFILE FORM AGAIN.
That's effing cool, man. Why don't we see it? Because it's easier to use Facebook Connect and get the same stuff nowadays then it is to try and educate internet users on A) what is a FOAF file? and B) where/how do you generate it and host it when Facebook basically has all of that already (I know, once is personally owned, the other is owned by Facebook but we can't always control the ebb and flow of internet mass consciousness even if something is "more elegant" or "stupidly better").
[+] [-] earthboundkid|14 years ago|reply
Creating a password is not a job that users are good at.
Remembering passwords is not a job that users are good at.
Solve this problem for your users.
It's not super tricky. Make up a couple of new kind of input types. Say, input type=trade-keys. When you see that on a page, create a private-public key pair and swap it with the server. Take the private key you made and the public key you got and encrypt them using the user's passphrase---the only password a user should have. Store that locally and make a back up to your cloud service in case the user wants to log in with another computer or the user loses their hard drive somehow.
Done.
[+] [-] JoshTriplett|14 years ago|reply
[+] [-] spindritf|14 years ago|reply
Not only browsers aren't solving the problem, they actively make their users' lives more difficult by obeying autocomplete="off" set by overzealous webmasters. I had to hack firefox to save a password to my yahoo account in it -- crazy.
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] mncolinlee|14 years ago|reply
http://my.opera.com/operalink/blog/2011/05/03/security-of-sy...
[+] [-] unknown|14 years ago|reply
[deleted]
[+] [-] resnamen|14 years ago|reply
It blew my mind because a coder had to burn some calories code the site specifically to disable copy/paste. What kind of UX is that?
[+] [-] jmcqk6|14 years ago|reply
[+] [-] chimeracoder|14 years ago|reply
I have a few bank accounts for my company (checking/investments/etc.) which each require different logins. That's fine.
However, the security questions for a business account are inextricably tied to an individual. Favorite animal? High school mascot? Where were you born?
These are all questions that are pretty easy to crack for an individual account, so they provide next to no added security. Furthermore, for a business account, they're just an added layer of frustration. When I took over the accounts, I had no idea how the previous president answered the questions, since they're all personal to him, not our company. Furthermore, when someone else at our company needs to access our accounts, they need to know the answer to my security questions... which are the same ones I have to use on my personal bank accounts!
In the end, it's so much of a pain to remember the answer to these questions that when I'm randomly asked to verify, I'm just as likely to call customer support and ask them to reset them. So what does this mean? I call customer support and give them
1. My name 2. My company's name 3. Our username 4. Our bank account name 5. Our tax ID number or the last 4 digits of the social-security number on the account.
...most of which would be pretty simple for a would-be attacker to obtain. And let's face it, corporate accounts at banks are much more likely to be the targets of individualized attacks, rather than random attacks over an array of accounts.
tl;dr: For business accounts, security questions actually decrease security.
[+] [-] pbhjpbhj|14 years ago|reply
They're just text field responses though. No one is checking that your first school was really called "w4ffl3s and |3eeR".
However, your point stands firm and proud. It's security theatre really isn't it.
[+] [-] peterwwillis|14 years ago|reply
So you called customer support to reset the password. You could call them whether or not there were personal security questions. Nothing changes.
OTOH the personal security questions ensure only one person can access the account (when attempting a normal login) instead of any employee at the business. Passwords might be shared but security questions probably wouldn't be (assuming only one person is accessing the account).
The questions are not intended to be impossible to crack. They're an additional data point to verify authenticity. The assumption is that you won't keep the name of your favorite animal next to your password (wherever it is that someone got your password from), thus it's an additional attack vector someone would have to account for. Not impossible, but adds difficulty.
tl;dr: added authentication prompts add to attack complexity, and you're on crack.
[p.s. you might want to change your bank account password and challenge questions when an employee who had it leaves. could be helpful.]
[+] [-] dprice1|14 years ago|reply
In my mind, someone (browser vendors? security community?) should create a standard for handling interactions to do with passwords. Covering password length, characters allowed, characters required, case sensitivity, et cetera. Or perhaps a grading mechanism. Give it a catchy name and get some noted security researchers and clueful businesses to endorse it. You could even have a browser extension which points out to users which sites are handling passwords poorly or in an inconvenient way.
With respect to the issues with banking institutions: why not take it up with your congressperson, or write to the FTC and/or SEC? The FTC is charged with consumer protection, and this seems directly in line with that. Again, if there was a grading tool, the regulators could apply that.
[+] [-] apmee|14 years ago|reply
Each of my passwords is made up of the same eight-character non-dictionary word, plus the alphabet-position numbers of the first three characters of the name of the site I've made the password for (A -> 1, B -> 2, that old trick).
So for example, say the common word I was using in my passwords was "pizzadog", then my Hacker News password would be "pizzadog813" (H -> 8, A -> 1, C -> 3)
I admit my goal is convenience, as it's clearly only one step up from using the same password for everything, but with the added numbers making me feel a little better in the event of one of them being compromised. But is there any reason why this approach might be considered a bad idea?
[+] [-] encukou|14 years ago|reply
Or, they have you register on just one site they control, and figure out the substitution trick. They now have all your passwords.
Now that you made the post it's even worse: we all know your password here is 8 lowercase characters + 813. If that's really true, I recommend changing all your passwords everywhere, NOW.
It's an extremely, extremely tiny step up from having the same password everywhere.
[+] [-] g3orge|14 years ago|reply
[+] [-] sneak|14 years ago|reply
$ strings ~/Library/Application\ Support/1Password/1Password.agilekeychain/data/default/* | less
[+] [-] luastoned|14 years ago|reply
[+] [-] BadassFractal|14 years ago|reply
What's the simplest thing that could work to fix this problem once and for all? I get the impression that there simply isn't one.
[+] [-] humbledrone|14 years ago|reply
[+] [-] shakesbeard|14 years ago|reply
[+] [-] DanBC|14 years ago|reply
It's not just browsers - here's an example of a budget web / email host telling users to ignore the warning:
(http://www.purplecloud.com/webmail/)
> When logging in your browser may warn about an invalid or untrusted SSL certificate. This is normal and can safely be ignored - the communication is fully encrypted despite this warning.
People only using one computer (that no-one else uses) have nice browser based password managers. Software like Keepass or Password Safe are handy, but not great if you use more than one computer (especially if you use more than one OS.) Keeping databases both synchronised and backed-up becomes tricky. And some companies / public computers won't allow you to use such software.
Trusting my passwords to the cloud just feels weird and unsafe.
[+] [-] heyitsnick|14 years ago|reply
[i guess you are still keeping your passwords in the cloud if you keep it in dbox, but the password DB is encrypted).
[+] [-] nodata|14 years ago|reply
[+] [-] jrabone|14 years ago|reply
[+] [-] jiri|14 years ago|reply
[+] [-] mncolinlee|14 years ago|reply
[+] [-] lbolla|14 years ago|reply
[+] [-] calloc|14 years ago|reply
I am now logged into my bank. Now each time I try to do anything with my money (move it from checking to savings, or from checking to my dad, or savings to checking, or to investing) I have to insert my card, enter my pin, enter the number and give my bank the number that is generated.
That is secure. WAY more secure than what I currently have with BoA, ING, WF, First bank, Chase, and Capital One.
[+] [-] pwman|14 years ago|reply
What kind of Luddite computer programmer is against using computer programs to solve their problems? Yet is fine with using SSH keys?
The argument of bloat is garbage -- you can utilize LastPass bookmarklets at the cost of exactly 1 bookmark in your browser. That adds a 1K bookmark and a very small amount of JavaScript to the page if and only if you utilize it.
Password certainly are painful, and our whole goal at LastPass is to make it easier. We'd be happy to help make other scenarios people are experiencing better, we've looked at handling ssh a number of times (putty in LastPass for Applications for example) -- anyone have a preference for how we tackle that next?
[+] [-] Egregore|14 years ago|reply
[+] [-] wladimir|14 years ago|reply