User negligence?

Mon Jul 28 03:45:17 UTC 2003

Thus spake "JC Dill" <nanog at vo.cnchost.com>
> Not only do they use password authentication, but they use a supposedly
> secure password policy that effectively renders the password completely
> insecure.
>
> What do I mean?  I mean that in my case, my bank requires that I change
the > password to my online account management website every 90 days.

That's not even the dumbest part.  You can reset your password at most
banks, insurance companies, stores, airlines, etc. by claiming you forgot
it; they'll happily reset it to your mother's maiden name, SSN, or some
other publicly-available datum.

I've even run across one telephone company which will accept my SSN in lieu
of my password _without_ resetting the latter, so the hack is completely
undetectable by the victim.

> It would be far more secure *in the real world* for the bank to only
> require that the password be changed once a year ...

It seems a better general solution would be to require the password be
changed every N uses.

> Oh, BTW, this secure policy also has a password limitation of 8
characters,
> and it only requires 1 non-alpha character.  So I can use a supposedly
> "secure" password  - like bananas1 (and then change it to bananas2 90 days
> later) - but I can't use a password like 4s&7Yaofb4otC (well, *that* one
> isn't the most secure in the world, but you get the point), because it's
> too long, even though it's obviously much harder to crack.  But that isn't
> deemed a "fault" in the bank's secure password policy.

There's a staggering number of web sites that won't allow me to use
non-alphanumeric characters in my passwords at all.  I've even run into a
few which also don't allow and/or preserve upper-case letters.   Those who
fail to learn the lessons of history...

S

Stephen Sprunk         "God does not play dice."  --Albert Einstein
CCIE #3723         "God is an inveterate gambler, and He throws the
K5SSS        dice at every possible opportunity." --Stephen Hawking