[15570] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Article on passwords in Wired News

daemon@ATHENA.MIT.EDU (Peter Fairbrother)
Mon Jun 7 13:02:19 2004

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Mon, 07 Jun 2004 11:30:07 +0100
From: Peter Fairbrother <zenadsl6186@zen.co.uk>
To: <cryptography@metzdowd.com>
In-Reply-To: <E1BVnN1-00029s-Uz@medusa01>

Peter Gutmann wrote:

>> An article on passwords and password safety, including this neat bit:
>> 
>> For additional security, she then pulls out a card that has 50
>> scratch-off codes. Jubran uses the codes, one by one, each time she
>> logs on or performs a transaction. Her bank, Nordea PLC, automatically
>> sends a new card when she's about to run out.
>> 
>> http://www.wired.com/news/infostructure/0,1377,63670,00.html
> 
> One-time passwords (TANs) was another thing I covered in the "Why isn't the
> Internet secure yet, dammit!" talk I mentioned here a few days ago.  From
> talking to assorted (non-European) banks, I haven't been able to find any that
> are planning to introduce these in the foreseeable future.  I've also been
> unable to get any credible explanation as to why not, as far as I can tell
> it's "We're not hurting enough yet".  Maybe it's just a cultural thing,
> certainly among European banks it seems to be a normal part of allowing
> customers online access to banking facilities.

My (European) bank uses "memorable information", an alphanumeric string
provided by me, and they ask for three randomly chosen characters when
authenticating online. There is also a fixed password.

Not terribly secure, or terribly one-time, but it would defeat a simple
keylogger or shoulder surfing attack, for instance. It doesn't give me the
warm fuzzies, but it does mean I would use a dodgy terminal at least once if
I was stuck in the badlands (and then change passwords etc.).


-- 
Peter Fairbrother

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post