Stupid Fucking Security Systems

[andrewducker]

When the glorious company demutualised recently, we all got some shares. Which was nice.

Said shares are now managed by an online share-dealing system run by a third party. We were all issued user names and passwords to allow us to log in to this.

My "username" is a single letter followed by a 10 digit number. My password is a 5 digit number.

Because, yes, I can remember that kind of thing.

They _did_ allow me to change the password. To another 5 digit number.

I have _no_ other 5 digit numbers in my life. So I can't reuse any other password. And I'm not going to log into this more than once or twice a year.

Which means I can either change the password to something blindingly obvious, or write it down.

And I'm never going to remember the username either. So I'll need to store that somewhere.

Probably with the number stored on it. Because the bastards _won't let me_ choose a blindingly obvious password. Or one with a simple pattern. At least not one simple enough that I can remember it.

Why is it that my bank (who manage thousands of pounds) is happy with a rotating series of five questions, whereas my share dealing company (which is looking after £500 worth of shares I didn't even earn) requires security so annoyingly over the top that I'm going to have to violate basic security principles just so I can log in in the future?

Comments

[dalglir.livejournal.com]

Get a password safe. YAPS is free. I use it on my PDA. Look for it on palmgear.com.

One memorable password is all you need.

[andrewducker]

Yes, but then I'm back to having a single password again.

I mean, theoretically I'm actually perfectly safe anyway, because it'll be written down at home, in a drawer, and I'll be fine.

But that's not the point - if they're worried about security there are better ways of dealing with it than long strings of impossible to remember numbers.

There are a couple of places I use that I want to keep secure. I have _no_ idea what my password for them is. If I want to log in then I click the "I forgot my password" button, log in via the "change your password" link (with a random splurge of characters), do whatever I need to, and then log out. Nobody can guess my password because I have no idea what it is.

I forsee a time when there will be some kind of back-channel confirmation like this for all secure transactions. You'll either get a text or an email saying "Did you mean to spend £5000 on used bicycles?" and have to confirm that you really did...

[octopoid-horror.livejournal.com]

I get lots of email from ebay and paypal wanting me to confirm things.

Funnily enough, I don't open any of them...

[andrewducker]

But that's because (a) you know when you've just used ebay/paypal/amazon and these don't arrive within 5 minutes of you buying something and (b) there's no way for you to recognise that the spam is actually from them.

If (for instance) you gave paypal a passphrase, so that all emails from them had the phrase "Gott Im Himmel!" in the subject line, you'd be more likely to actually open them.

[octopoid-horror.livejournal.com]

There was an article I think I sent you a few months back. One of the big banks had emailed all its customers. Except many people are now so used to (in some cases)/terrified of (in many other cases) the evil hax0rz "phishing" for their bank details that they delete all emails from banks just to be on the safe side.

I have no idea if Ebay actually send me useful emails. I don't open them since I know that most are spam, but I don't want to open them to check, so I just read the messages on the site itself.

[andrewducker]

If you're using Thunderbird or any other mail client than Outlook/Outlook Express then you're safe to open emails.

But yeah, as I said, you'd need a clear _personal_ identifier in the subject line to let you know that it was from the people you'd actually given the security token to. It couldn't be a generic thing in subject lines they sent everyone (or spammers would copy it in about 24 seconds), it'd have to be something that only you and they knew.

[octopoid-horror.livejournal.com]

However, with some it's -very- hard to tell if it's spam or not.

I don't really want to invest time and effort in working out if they are or not, and since ebay has the built in messaging on the website, that's the safer option.

[skington.livejournal.com]

Paypal actually explicitly mention your username in the body of any email they send you, so you can tell they're who they say they are. (Phishers don't.) The rationale is that if spammers know your Paypal username, they've either hacked your machine, in which case you're already fucked, or they've hacked Paypal, in which case the entire world is fucked.

[surliminal.livejournal.com]

I imagine most people use yr of birth plus x so you only have to remember x.

[dalglir.livejournal.com]

"Yes, but then I'm back to having a single password again"

Well. Kind of. I use cart around YAPS on my PDA and I use it with a single non-trivial password that I regularly update. You can also use symbols as well as alphanumerics. Behind that are all the other passwords that I can't be arsed to remember.

I find it very convenient.

"I forsee a time when there will be some kind of back-channel confirmation like this for all secure transactions. You'll either get a text or an email saying "Did you mean to spend £5000 on used bicycles?" and have to confirm that you really did..."

I'd love for that to happen.

[octopoid-horror.livejournal.com]

Our banking team use a certain popular payment system to make all the payments from company bank accounts. On the older version of the system each user has a card, that can be used on just one computer, at the back of our office. So you put in the password for that computer (known to all the people who use it), then you need your card. Then you need a six figure number. Which you have to change once a month, but if you forget it, it cannot get reset... I ran out of phone numbers that I could remember quite quickly.

[despotliz.livejournal.com]

Cambridg board of Graduate Studies give you a semi-random username (year of first application then random string of numbers, as far as I can see) and a completely random password you cannot change. If you apply one year, get rejected, and apply again the next year, you have the same username and password and assume you still have the letter with them on from last year. It drives me up the wall having to find them every time I need to log on and check my status, which is fairly regularly but not regularly enough that I learn the random password.

[andrewducker]

I just realised I can still remember my Stirling Uni student number. Which was 9008948/7. The first two digits of which point out exacty how incredibly old I am...

[prynne.livejournal.com]

I think you should do a voice post.


So I can hear you talk.


thats really all I have to say.


but you should. You know. Because, talking.


Does LJ have non-USA numbers yet?

[andrewducker]

I'd just be horribly disappointing - I have a slightly blurry South of England middle class accent. I'll look into it for some point though :->

[prynne.livejournal.com]

ok. whatever.


But it would be you.

I mean, I'm just saying.

talking.

very good. :)

[allorin.livejournal.com]

He rambles.

At least when he types, the rambling is cut out... ;+)

[prynne.livejournal.com]

ha! Gotcha, and duly noted. :)


Sometimes the rambling is the best part, though.

[dalglir.livejournal.com]

What wrong with "slightly blurry South of England middle class accent"?

:-P

[chuma.livejournal.com]

Here's a way to remember the 5 digit password. Make up a sentence of 5 words where each word has the same number of letters as the number.

eg: 'This Would Be An Example' would be for 45227

That way you can remember the phrase and work the numbers out.

[figg.livejournal.com]

Bruce Schneier says Write down your password (http://www.schneier.com/blog/archives/2005/06/write_down_your.html):

This is good advice, and I've been saying it for years.

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

[azalemeth.livejournal.com]

My bank sent me a little card with my userID printed on it for online banking - it is just a string of 12 digits. My password is my own choice, and they don't appear to care too much about it. However, I also have a "secret phrase", between six and twelve characters, with at least one number. They annoy the hell out of me every time I log on by asking me for _random_ characters from it. Considering I don't exactly need to know my bank statement every day, and that it's awkward enough remembering what character six is, and whether I'd changed the 'e' to a '3' in the string, I don't really mind - it is paranoid enough to be important, and not paranoid enough to be overtly restrictive.

Incidentally, forcing passwords to be numerical is always a bad thing. Write to/email the company and complain?