User negligence?
JC Dill
nanog at vo.cnchost.com
Sun Jul 27 14:15:36 UTC 2003
At 01:03 AM 7/27/2003, Kandra Nygårds wrote:
>From: "Sean Donelan" <sean at donelan.com>
>
> > Unfortunately there are a lot, and growing number, of self-infected PCs
> > on the net. As the banks point out, this is not a breach of the bank's
> > security. Nor is it a breach of the ISP's security. The user infects
> > his PC with a trojan and then the criminal uses the PC to transfer money
> > from the user's account, with the user's own password.
>
>Banks use passwords for authentication? That's what scares me.
>
>Personally, I find it terrifying that banks allow such weak authentication
>as a password for financial transactions.
Not only do they use password authentication, but they use a supposedly
secure password policy that effectively renders the password completely
insecure.
What do I mean? I mean that in my case, my bank requires that I change the
password to my online account management website every 90 days.
For passwords which are used daily or several times a day, a 90 day change
interval can make sense in many circumstances. But since I only login to
my banking account once a month, that means that I have to change my
password once out of every 3-4 times I use this account. I know how to
create a secure password, but I can NOT create a new one every 3-4 uses and
then remember, 30 days later, what the most recent password for this one
account is. I have many reasons to suspect that my problem is one that
most (perhaps all) of the bank's users have - the change interval is too
frequent (as compared to use intervals) and so the password is not
effectively memorized on an ongoing basis.
So, I end up having to do something INSECURE to remember the stupid
password. Either I have to create an insecure and "easy to remember"
password, or I have to write it down somehow. Now we are back to the root
problem, that the user's computer/user's password is now "insecure" and it
"isn't the bank's fault" when the user's password is discovered and used
without the user's permission. Well, that's BS. The bank created a policy
that can not be securely followed! There is more to maintaining a secure
password than changing it frequently. The policy has to be on that can be
effectively followed by most people!
It would be far more secure *in the real world* for the bank to only
require that the password be changed once a year and to then have customers
securely maintain that password in their heads instead of cached on the
computer (a very common practice) or written down (usually on a piece of
paper that then is found under the keyboard, another very common
practice). But that would *appear* to be a less secure policy to anyone
auditing the bank's password policy. It is obvious that the appearance of
security is much more important than real security. That's why we can't
take nail scissors on airplanes, it's deemed more important to have the
appearance of security at the security checkpoint than it is to have actual
*real* security on the airplane itself (better doors to the cockpit, better
security procedures in the event of a hijack, etc.). We needlessly
inconvenience users to create an *impression* that we are serious about
security when we are actually accomplishing absolutely nothing.
sigh. I keep on not doing enough to remember the stupid password, and
today I can't log-in to the bank account. Again. So now I have to have
them reset the password.
Oh, BTW, this secure policy also has a password limitation of 8 characters,
and it only requires 1 non-alpha character. So I can use a supposedly
"secure" password - like bananas1 (and then change it to bananas2 90 days
later) - but I can't use a password like 4s&7Yaofb4otC (well, *that* one
isn't the most secure in the world, but you get the point), because it's
too long, even though it's obviously much harder to crack. But that isn't
deemed a "fault" in the bank's secure password policy.
jc
More information about the NANOG
mailing list