How secure are your passwords?
K7 Computing founder Jayaraman Kesavardhanan talks about how the setting up of secure passwords is still not quite as straight forward as it perhaps should be.
Because of what I do, sometimes people ask me about my opinion on a few issues. Often I am asked what I think about the security practices of organizations such as banks. This is effectively asking me, “Can I trust the online access etc mechanisms at the XYZ bank(s)?”
Needless to add I can hardly answer such a question. I make generic statements about security of online transactions being higher than assumed and that of off-line transactions lower than assumed. Embellished with some anecdotes this is often enough to get me off this question.
Recently I had a more serious conversation with a friend of mine. He is an old Unix-hand and is generally a `power user’. He had attempted to use the online account of a bank and true to his style, he used a tool (pwgen, if my recall serves me right). He prides himself on not writing down passwords etc and chose to generate a fairly strong non-pronounceable password. He spent nearly 20 minutes to memorize it and proceeded to set-up his online account. To his chagrin, the bank’s password validator rejected his password! Reason: no numerals. Despite the length and a mix of case and a generous helping of special characters the lack of a numeral triggered the rejection. He was quite bemused and even mildly upset. Having spent a lot of time on a potentially low usage issue, he decided to give up–I suspect it was as much due his inability to use the wonderful password he had generated and memorised.
As per his statement this was a few months ago. A few days back, he had occasion to visit the brick and mortar branch of the bank. While he was talking to an executive at the counter, another executive at the next counter complained that she was unable to log on to the system and the executive attending to my friend said to her, “Oh! The new password is XYZPQ123″. The XYZPQ, where the initials of the bank. This was said in a fairly conversational and slightly loud tone to be heard above the usual bustle of a busy bank floor.
My friend was so annoyed and amused he laughed out loud, so loud that the executive attending on him solicitously asked him if he needed help. My friend considered explaining as to how his bank needed help and wisely refrained at the last minute and pleaded an attack of a humorous recollection.
After the narration he gave me a “What are we supposed to do?” look. I told him I wish I knew.
PS: After I decided to write this blog entry, I called up my friend and told him that I was writing it up and he drew my attention to this article. (SIGH) Maybe I should change my opinion on writing HOW-TOs on passwords on our site!
Tags: online banking, password
Interesting post. The most practice that we all do in response to this situation is absolutely nothing. Getting involved in trying to change protocol, misguided security etc is a hassle that we might not get involved in, unless maybe there’s profit involved. On the other hand, am sure people could use a HOW-TO on certain other things. Rather than (probably wrongly) advising people that online transactions are safer than offline ones (taking into account the social engineering possible at both sides etc), one might actually be better off blocking any online transaction and doing business only at the physical location.
Password management etc are age-old issues with poor solutions. I use Mac’s built-in Keychain to store all my passwords. This has its own inherent flaw – that ALL of my passwords are protected by ONE password. But am okay with this as I do not have to remember weird passwords or make-do with sub-par ones. Similarly, everyone needs a solution. And I do not think a HOW-TO is the answer but rather understanding of the mental models of people and clarification regarding the ACTUAL way stuff happens. The simple analogy I can give is the ‘How does a thermostat work’. One a hot day, one rushes into ones’ room and turns the AC as low as possible even though that temperature might be too cold for comfort. The reasoning being “It will cool faster. I will set it to the temperature I want once the room is cool”. This stems from the misunderstanding of how a thermostat works and the conflict in the mental model of the user. Bah, I cannot switch off my design side. Anyways, writing a HOW-TO is the easier thing to do. But what might have a longer term impact is the WHY, the WHAT. By clearing up people’s wrongful models.