[59944] in North American Network Operators' Group
Re: User negligence?
daemon@ATHENA.MIT.EDU (JC Dill)
Sun Jul 27 10:16:37 2003
Date: Sun, 27 Jul 2003 07:15:36 -0700
To: <nanog@merit.edu>
From: JC Dill <nanog@vo.cnchost.com>
In-Reply-To: <00b901c35415$93b6c120$0ef2a8c0@amalthea>
Errors-To: owner-nanog-outgoing@merit.edu
At 01:03 AM 7/27/2003, Kandra Nyg=E5rds wrote:
>From: "Sean Donelan" <sean@donelan.com>
>
> > Unfortunately there are a lot, and growing number, of self-infected PCs
> > on the net. As the banks point out, this is not a breach of the bank's
> > security. Nor is it a breach of the ISP's security. The user infects
> > his PC with a trojan and then the criminal uses the PC to transfer money
> > from the user's account, with the user's own password.
>
>Banks use passwords for authentication? That's what scares me.
>
>Personally, I find it terrifying that banks allow such weak authentication
>as a password for financial transactions.
Not only do they use password authentication, but they use a supposedly=20
secure password policy that effectively renders the password completely=20
insecure.
What do I mean? I mean that in my case, my bank requires that I change the=
=20
password to my online account management website every 90 days.
For passwords which are used daily or several times a day, a 90 day change=
=20
interval can make sense in many circumstances. But since I only login to=20
my banking account once a month, that means that I have to change my=20
password once out of every 3-4 times I use this account. I know how to=20
create a secure password, but I can NOT create a new one every 3-4 uses and=
=20
then remember, 30 days later, what the most recent password for this one=20
account is. I have many reasons to suspect that my problem is one that=20
most (perhaps all) of the bank's users have - the change interval is too=20
frequent (as compared to use intervals) and so the password is not=20
effectively memorized on an ongoing basis.
So, I end up having to do something INSECURE to remember the stupid=20
password. Either I have to create an insecure and "easy to remember"=20
password, or I have to write it down somehow. Now we are back to the root=
=20
problem, that the user's computer/user's password is now "insecure" and it=
=20
"isn't the bank's fault" when the user's password is discovered and used=20
without the user's permission. Well, that's BS. The bank created a policy=
=20
that can not be securely followed! There is more to maintaining a secure=20
password than changing it frequently. The policy has to be on that can be=
=20
effectively followed by most people!
It would be far more secure *in the real world* for the bank to only=20
require that the password be changed once a year and to then have customers=
=20
securely maintain that password in their heads instead of cached on the=20
computer (a very common practice) or written down (usually on a piece of=20
paper that then is found under the keyboard, another very common=20
practice). But that would *appear* to be a less secure policy to anyone=20
auditing the bank's password policy. It is obvious that the appearance of=
=20
security is much more important than real security. That's why we can't=20
take nail scissors on airplanes, it's deemed more important to have the=20
appearance of security at the security checkpoint than it is to have actual=
=20
*real* security on the airplane itself (better doors to the cockpit, better=
=20
security procedures in the event of a hijack, etc.). We needlessly=20
inconvenience users to create an *impression* that we are serious about=20
security when we are actually accomplishing absolutely nothing.
sigh. I keep on not doing enough to remember the stupid password, and=20
today I can't log-in to the bank account. Again. So now I have to have=20
them reset the password.
Oh, BTW, this secure policy also has a password limitation of 8 characters,=
=20
and it only requires 1 non-alpha character. So I can use a supposedly=20
"secure" password - like bananas1 (and then change it to bananas2 90 days=
=20
later) - but I can't use a password like 4s&7Yaofb4otC (well, *that* one=20
isn't the most secure in the world, but you get the point), because it's=20
too long, even though it's obviously much harder to crack. But that isn't=
=20
deemed a "fault" in the bank's secure password policy.
jc
