I am of the firm opinion that this decreases security. So what do I do? I have a rotating formula that follows a date pattern of the last time my password was required to be changed so if you can figure out the other beginning part of my password and discover my scheme you have a much shorter password you need to figure out and then just add the numeric representation of the date on there that I use and you would be in. Thats how I get around the nightmare of constantly rotating passwords. Some systems refute my scheme by checking that I don’t use any repeating sequences from one password to another. I have a simple solution to this too. pw.txt which sits right on my desktop and lists all my logins and passwords that are required to change constantly and have strict rules about repeating sequences between passwords.

Am I being a bad computer user by using these techniques. I don’t know any other way to do it. I can’t remember 15 different passwords that change every 30-90 days. I would be contacting IT to get my passwords reset every week.

I see people with postits on their computer etc.

if you try to make security so tight that it is not possible for people to comply, they will circumvent it by using techniques such as I describe which are less secure then if you simply made your security reasonable.

Password requirements must be sufficiently stringent to make sure the password is not simply an easy word but it must support a reasonable secure password that is accepted in most systems (emigrantDirect as mentioned above with their 10 character minimum is too long. It should be 8. Most people don’t have 10 character passwords so the Emigrant password gets stuck on the sticky note, nice going for security)

I think the system in place that most banks use now of a password, a security image, and a couple individualized questions is quite good (on a side note I try to pick the types of questions that most systems have in there and so I only have about 8 or so different questions across all systems and the answers are always real easy for me to remember because I choose once that are not ambiguous and I always give the most simple answers. For example acura TL as mentioned above would never be used. Something simple like acura or camaro would be used, always 1 word answers no spaces and no capitalization on all answers, otherwise its too complicated again.

Again, my main point is security must be functional or it will be circumvented. Tighten it down too much and you actually loosen it. Less is more!

Bank of America has started to offer a SecurID type token or Text Message built in called SafePass (http://www.bankofamerica.com/privacy/index.cfm?template=learn_about_safepass). This is for logging in to their web site as well as for verifying online transactions. I believe this to be a good step in helping to secure debit and credit card transactions as it is truly a multi-factor solution requiring something you know (your PIN) and something you have (the card verified by typing in the SecurID).

For #1, answers may change or the questions are always the same. My mother’s middle name may not be that difficult to locate, especially with social engineering. Or my favorite sports team may change. Or I might forget how an answer was formatted such as my first car being an “Acura TL” or “Acura TL Type S”.

For #2, if the computer is infected with a sophisticated keylogger, the images can also be captured through screenshots.

I agree with #3. However, alot of financial sites do not support characters outside of a-z and 0-9. Some do not even recognize capitalization. I like the idea of having a minimum of 8 characters. I do not like a minimum higher than 8, such as Emigrant Direct which has a minimum of 10.

For #4, too costly and if I lose the token, I’d have to wait for days for a replacement. And is it something I carry with me as an inconvenience or is it so important that it belongs in a firesafe or safety deposit box?

For #5, every 30 days is ridiculous. I have 10+ financial accounts. I wouldn’t want to change it that often. Sorbanex-Oxley for businesses is every 90 days. If people have to change it every 30 days, people will start writing them down or coming up with lazy algorithms such as passwordMMYY where “password” is a keyword of their choosing and “MMYY” is the last time they changed the password. It can be even be current for that month.

For #6, 3 is too little. What if the caps lock is on, and you don’t realize it right away. 5 or 10 is a good number. A dictionary attack would be stopped.

For #7, too much hassle.

For #8, I run a Mac and I enjoy not having any anti-virus software. On my Windows PC, I don’t want a bunch of resource hogging programs running either.

http://uh2l.blogs.com/things_ive_noticed/2006/02/passwords_are_r.html

Also, if you are accessing the bank’s website through your browser, such programs do not work as they are not SSL-based systems, but rather use different VPN protocols. And don’t get me started on user-agent string in browsers, those are so easily overcome as to be laughable.

Security does not require breaking the internet for a large (and growing) number of users.