We'd like to remind Forumites to please avoid political debate on the Forum... Read More »
We're aware that some users are experiencing technical issues which the team are working to resolve. See the Community Noticeboard for more info. Thank you for your patience.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Security Passwords
Options
cyborg421
Posts: 11 Forumite
Hi there,
I am wondering if other people are having issues with banking security passwords?
A lot of them seem to be moving to picking certain letters from passwords. Now I don't have a problem with the theory but with the length of the passwords. The longer you make the password the more likely it is that you will need to write it down to fill in the drop down boxes therefore negating any security!
There seems to be a train of thought that the longer you make the password the more secure it is when in fact the reverse is true.
To cap it all I have just been on the NSI site where they ask for FIVE security questions out of a selection of just ten questions only one of which I could guarantee to remember without writing the answer down.
Isn't it time for some common sense with this?
Simon
I am wondering if other people are having issues with banking security passwords?
A lot of them seem to be moving to picking certain letters from passwords. Now I don't have a problem with the theory but with the length of the passwords. The longer you make the password the more likely it is that you will need to write it down to fill in the drop down boxes therefore negating any security!
There seems to be a train of thought that the longer you make the password the more secure it is when in fact the reverse is true.
To cap it all I have just been on the NSI site where they ask for FIVE security questions out of a selection of just ten questions only one of which I could guarantee to remember without writing the answer down.
Isn't it time for some common sense with this?
Simon
0
Comments
-
Many people use secure password management tools like lastpass or keepass.
On the subject of asking for particular characters from a password and not the password in full, this is a good thing. It means the information you need to log in is different each time, so phishing and keylogging attacks are much more difficult.
I have to agree with you on the 'security questions' though. Some banks allow you to choose your own, but I really don't want to use my mother's maiden name, birthplace or first school as a "secret password". When I'm forced to use a stupid security question, I usually have to make up answers that are totally unrelated to the question, which makes life more difficult.0 -
I totally agree that picking certain letters/numbers is a good idea.
My point is that the longer the password is, the risk of having to write it down increases .
If 4 digits is safe enough for cash machines, 6 should be enough for passwords or digits.
The Post Office credit card uses a six digit password with drop down boxes. I have no problem with that and I do not need to write it down.
We shouldn't have to (nor need to) resort to Keepass or similar to remember passwords for the majority of people.
Simon
PS Because of the stupidity of the security questions at NSI, I am now removing a substantial sum in Premium Bonds because I couldn't find 5 security questions I could guarantee to answer. It was the only route out. I would have thought the Government could ill afford to lose any savers.0 -
The difference between a cash machine and your computer is that a cash machine offers 2 factor authentication (you can't use it without your card) and it also isn't connected to the internet (which makes it more difficult for your PIN to be compromised when you enter it).My point is that the longer the password is, the risk of having to write it down increases .
If 4 digits is safe enough for cash machines, 6 should be enough for passwords or digits.
The reason that a longer password offers enhanced security when entering specific characters using drop-down boxes is that repetition is far less likely. With a 6 character password, an observer would be able to capture your whole password after observing very few logins. Assuming 3 characters are needed, there are only 20 arrangements of a 6 character password, compared with 56 for 8 characters and 220 for 12 characters. Remember that with bank logins, a brute force attack is not feasible (since they tend to lock you out after 3 incorrect logins) so a super-random password isn't necessary. In fact, the word "necessary" is 9 characters; add a couple of digits to the end and you have a fairly memorable 11 character password. Since you are only entering 3 characters at a time, the only weakness in that approach is that an observer would be able to fill in the blanks more quickly if they were able to capture several logins, but still probably not as quickly as for a 6 character password.
Writing the password down, providing it is kept relatively secure, is probably preferable to limiting the security of the password. It's quite easy to obfuscate a written record of a password. Once upon a time, I used a kind of written shorthand to prompt me as to the different pieces that made up a password while never recording any part of the password itself.0 -
I have dozens of passwords for work and personal systems. Some have to be renewed at regular intervals and I find it impossible to remember them all.
If you do choose to write them down, there are simple ways to improve security. Write them down somewhere safe. Write passwords backwards. Add a prefix of say two spurious characters. Most systems require more than one password. Write each down in seperate locations."A nation's greatness is measured by how it treats its weakest members." ~ Mahatma Gandhi
Ride hard or stay home :iloveyou:0 -
Dont make them extremely long then, keep them to 8 characters long, write them down, i wrote them down as i could forget them as i have a variety of passwords for different email accounts, bank accounts, ebay, credit expert etc0
-
There is nothing wrong with writing them down (or part of them down), just lock the piece of paper up, and use your own mental code to fill in the bits a criminal would need to make use of them.!!
> . !!!! ----> .0 -
The difference between a cash machine and your computer is that a cash machine offers 2 factor authentication (you can't use it without your card) and it also isn't connected to the internet (which makes it more difficult for your PIN to be compromised when you enter it).
Not necessarily true - ever heard of ATM viruses? ATMs have to be connected to the bank, and sometimes they will be able to have internet access, whether by design or by error. A lot of ATMs were built on Windows 2000 or XP. If you install Windows XP on a new computer now, you will very likely get infected before you can even connect to Windows Update!0 -
I'm aware that a lot of ATMs are running Windows, but the idea that they would be allowed internet access is crazy. :eek:Not necessarily true - ever heard of ATM viruses? ATMs have to be connected to the bank, and sometimes they will be able to have internet access, whether by design or by error. A lot of ATMs were built on Windows 2000 or XP. If you install Windows XP on a new computer now, you will very likely get infected before you can even connect to Windows Update!0 -
"The reason that a longer password offers enhanced security when entering specific characters using drop-down boxes is that repetition is far less likely. With a 6 character password, an observer would be able to capture your whole password after observing very few logins. Assuming 3 characters are needed, there are only 20 arrangements of a 6 character password, compared with 56 for 8 characters and 220 for 12 characters. Remember that with bank logins, a brute force attack is not feasible (since they tend to lock you out after 3 incorrect logins) so a super-random password isn't necessary. In fact, the word "necessary" is 9 characters; add a couple of digits to the end and you have a fairly memorable 11 character password. Since you are only entering 3 characters at a time, the only weakness in that approach is that an observer would be able to fill in the blanks more quickly if they were able to capture several logins, but still probably not as quickly as for a 6 character password."
1) If a six digit login is "insecure" why do the Post Office use it as a system?
2) I wasn't disputing that a longer password is more difficult to crack but as you pointed out, someone determined will probably get there in the end anyway.
If you write the password down then it needs to be accessible and most people would put it in a position that they could access it easily - probably not somewhere relatively safe.
There has to be a compromise between security and ease of use. Most institutions use a combination of access requirements anyway and so should be able to avoid complex passwords.
They always tell you not to write the password down. If they don't want you to write it down then it should be easily memorable and useable.0 -
Dont make them extremely long then, keep them to 8 characters long, write them down, i wrote them down as i could forget them as i have a variety of passwords for different email accounts, bank accounts, ebay, credit expert etc
You are not supposed to write passwords down. Even the chap at NS&I took in an intake of breath when I suggested that the only way I could remember them was to write them down. Not good practice.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 350.8K Banking & Borrowing
- 253K Reduce Debt & Boost Income
- 453.5K Spending & Discounts
- 243.8K Work, Benefits & Business
- 598.6K Mortgages, Homes & Bills
- 176.8K Life & Family
- 257.1K Travel & Transport
- 1.5M Hobbies & Leisure
- 16.1K Discuss & Feedback
- 37.6K Read-Only Boards