Security Too Much = Less
Posted in the web, Security, e-commerce on June 17, 2008 at 2:05 pm
I’m sure I’ve said before that if you make safety / security procedures too complex people will just bypass them and leave you worse off than before. Another example has just arisen from good old Tesco. To get into my account they want the 1st 3rd & 4th digit of my pin & the 2nd 5th and 8th letter of my password. Typing all of it would be easier, missing 1 digit out of my pin isn’t going save my account from hackers is it? As for my password I end up either writing it down & counting which letter is where or reciting it down my fingers (usually out loud or at least with moving lips!). Either way it would be more secure if I just typed the damn thing in. My other gripe with Tesco security is they only accept 8 character passwords. Well I say accept, you can type 12 characters on the register page but they trim it to 8 and if you enter more than 8 on the login they reject it.
All in all longer passwords and none of the 1st 3rd & 8th would make life easier AND more secure.
Not yet rated
Loading ...Comment by Dan Jones - June 17, 2008 on 2:48 pm
Longer passwords are not necessarily more secure - in my experience - and I do IT security for a living!
If someone has a keylogger on there machine is just one example of reasons for this. This is why the banks and other websites use the letter x of password (and why Barclays etc use drop downs). Keyloggers are more common than you are probably aware (we get > 200 trying to install daily according to our AV logs). Users without AV in many cases have them. I would never consider using a PC now owned by me for Internet banking for exactly this reason.
Also its proven (don’t ask me to point out the research) - that longer passwords lead to users writing the password down.
The true solution is hardware tokens which banks such as Barclays already use. But these are of course more of a pain to use.
I agree though that a system only accepting 8 characters when you want to enter more, is plain silly.
My question is why can’t websites/banks/etc work via username, pin and fingerprint say - or other biometric. Wouldn’t that be simpler?
Comment by davef - June 17, 2008 on 6:28 pm
Hmm, maybe I’m self contradicting when I say have longer passwords but keep things simple! 8 does seem a bit short though and a whole word is easier to emember than half a one…
As for key loggers I guess they would have to see me log in with 3 digits a couple of times before they got all 4 digits of my PIN. I was going to sugest a blue tooth imobaliser type h/w device but I guess blue tooth & secure don’t go together too well!
Could a key logger not also capture the biometic data? Most fingerprint scanners are USB aren’t they?
Make a comment
Tag cloud
Archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
Most commented posts
Highest Rated Blog Posts
- No excuse - it's free to encrypt! (100%)
- PC Advance Required (100%)
- Virtualization's Dark Side - or stating the obvious for beginners (100%)
- Tabs - I might change my mind? (100%)
- Which Linux do you drink? (100%)
- Sat Nag (100%)
- What has you tube ever done for us? (100%)
- Is your back door open? (90%)
- What they don't say... (90%)
- Measuring the Metrics (80%)