__/ [ Lee Sau Dan ] on Friday 11 August 2006 14:07 \__
>>>>>> "[H]omer" == [H]omer <H> writes:
>
> [H]omer> It's been a while since I used my Cahoot account, but
> [H]omer> IIRC the section I'm thinking about is limited to numbers
> [H]omer> only, but as I said, it's been a while. The whole logon
> [H]omer> process actually takes three different pages IIRC
> [H]omer> (username, A/C number. -> Where were you born, mother's
> [H]omer> maiden name. -> select character 1, 3 and 4 from your
> [H]omer> password. Or something similar). The exact questions
> [H]omer> asked are rotated from a selection, so you're not always
> [H]omer> asked the same questions each time you logon.
>
> So, a combined key-logger+screen-recorder would break this security
> scheme, right?
>
> I hate these apparently more secure schemes. They aren't more secure.
> Where you were born. Mother's maden name. Name of school or
> kindergarten that you attended. All these can be obtained easily if
> anyone attempts to do it. (e.g. your company may require you to fill
> in a form containing all these information when you get employed!)
>
> A false sense of security is much worse than an insecurity that is
> made aware of.
>
>
>
> >> Are they reasonable (e.g. requiring you to choose a 128
> >> character password).
>
> [H]omer> I don't think I got to choose at all; the
> [H]omer> password/pin/whatever was "issued" to me, and advised by
> [H]omer> snail-mail (Bank Card PIN style).
>
> Not allowing the user to change the password (or PIN) to his selected
> one is a bad approach to security. That user would likely keep that
> snail-mail in his drawer, or write it on a postit and stick it in some
> "secure" places. That's safer?
I agree. My bank has this old-fashioned approach where
password and PIN code are both used and, while the password
can be changed, people will continue to write those things
down. The site has made no effort whatsoever to remind the
user (me) to change password. It has been the same for 5+
years. What's more, after 3 unsuccessful login attempts, the
account is locked and this requires a phonecall and a letter
with activation code to be sent by post. It's more of an
inconvenience than a measure of security. In fact, one could
easily cause major inconvenience to dozens of strangers
within minutes. For spite even.
The maiden name thing has always been a joke. Almost as
laughable as these questions that recover passwords. All is
does it offloads the support burden (for Web sites) at the
expense of security.
Best wishes,
Roy
--
Roy S. Schestowitz | "Ping this IP, see if it responds the second time"
http://Schestowitz.com | GNU/Linux | PGP-Key: 0x74572E8E
Swap: 1036184k total, 429952k used, 606232k free, 104888k cached
http://iuron.com - next generation of search paradigms
|
|
