User negligence?

JC Dill nanog at vo.cnchost.com
Sun Jul 27 14:15:36 UTC 2003


At 01:03 AM 7/27/2003, Kandra Nygårds wrote:

>From: "Sean Donelan" <sean at donelan.com>
>
> > Unfortunately there are a lot, and growing number, of self-infected PCs
> > on the net.  As the banks point out, this is not a breach of the bank's
> > security. Nor is it a breach of the ISP's security.  The user infects
> > his PC with a trojan and then the criminal uses the PC to transfer money
> > from the user's account, with the user's own password.
>
>Banks use passwords for authentication? That's what scares me.
>
>Personally, I find it terrifying that banks allow such weak authentication
>as a password for financial transactions.

Not only do they use password authentication, but they use a supposedly 
secure password policy that effectively renders the password completely 
insecure.

What do I mean?  I mean that in my case, my bank requires that I change the 
password to my online account management website every 90 days.

For passwords which are used daily or several times a day, a 90 day change 
interval can make sense in many circumstances.  But since I only login to 
my banking account once a month, that means that I have to change my 
password once out of every 3-4 times I use this account.  I know how to 
create a secure password, but I can NOT create a new one every 3-4 uses and 
then remember, 30 days later, what the most recent password for this one 
account is.  I have many reasons to suspect that my problem is one that 
most (perhaps all) of the bank's users have - the change interval is too 
frequent (as compared to use intervals) and so the password is not 
effectively memorized on an ongoing basis.

So, I end up having to do something INSECURE to remember the stupid 
password.  Either I have to create an insecure and "easy to remember" 
password, or I have to write it down somehow.  Now we are back to the root 
problem, that the user's computer/user's password is now "insecure" and it 
"isn't the bank's fault" when the user's password is discovered and used 
without the user's permission.  Well, that's BS.  The bank created a policy 
that can not be securely followed!  There is more to maintaining a secure 
password than changing it frequently.  The policy has to be on that can be 
effectively followed by most people!

It would be far more secure *in the real world* for the bank to only 
require that the password be changed once a year and to then have customers 
securely maintain that password in their heads instead of cached on the 
computer (a very common practice) or written down (usually on a piece of 
paper that then is found under the keyboard, another very common 
practice).  But that would *appear* to be a less secure policy to anyone 
auditing the bank's password policy.  It is obvious that the appearance of 
security is much more important than real security.  That's why we can't 
take nail scissors on airplanes, it's deemed more important to have the 
appearance of security at the security checkpoint than it is to have actual 
*real* security on the airplane itself (better doors to the cockpit, better 
security procedures in the event of a hijack, etc.).  We needlessly 
inconvenience users to create an *impression* that we are serious about 
security when we are actually accomplishing absolutely nothing.

sigh.  I keep on not doing enough to remember the stupid password, and 
today I can't log-in to the bank account.  Again.  So now I have to have 
them reset the password.

Oh, BTW, this secure policy also has a password limitation of 8 characters, 
and it only requires 1 non-alpha character.  So I can use a supposedly 
"secure" password  - like bananas1 (and then change it to bananas2 90 days 
later) - but I can't use a password like 4s&7Yaofb4otC (well, *that* one 
isn't the most secure in the world, but you get the point), because it's 
too long, even though it's obviously much harder to crack.  But that isn't 
deemed a "fault" in the bank's secure password policy.

jc





More information about the NANOG mailing list