|When security isn't
||[Sep. 29th, 2009|09:27 pm]
I finally got access to my online payslips today. If you remember, I got locked out from seeing them some months ago because I couldn't tell the computer what my favourite TV program was as a child. Going through the online login system again I'm reminded quite how bang-your-head-on-the-wall stupid the security system is. You set a five answers for five mandatory security questions any of which may be asked by the computer examples are:|
"What was your favourite TV program as a child" (didn't particularly have one)
"Name a celebrity you admire." (nobody particularly springs to mind)
"What was the first school you attended." (Answer could be "Carter's Charity School" "Carter's" "Carters" or "Carter's Charity School, Pilling" depending on mood.)
This is for a website I will log into maybe three times a year and, let's face it, it's not the end of the world if it's hacked. Indeed, it would not even make a dent in my afternoon if it was hacked (ooh, someone can see my wage slips and P60 -- the ones that used to be posted into my pigeon hole freely available to be stolen by the world).
The problem with very stupid people who design security systems is that they design the security systems under the assumption that the user only actually ever uses their computer system. To be able to log into their website I need to remember their automatically generated username (not easily memorable) a password I can set and the answers to five questions set by them which have no particular clear answer for most people. Naturally, I've done the only logical thing, made the answers trivially derivable from the questions and written them down somewhere (and somewhere I can easily access). It's certainly hacker friendly but it's the only way to get round this crap without dangerous loss of sanity. [These are the same numbskulls who do such regular password expiry that I'm seriously considering writing the password for the account down somewhere too.]
In my (admittedly uninformed) opinion part of the problem is computer security people who consider what will make their particular site secure beginning from the assumption that the user gives two tosses about it being secure and that the user will never use another site ever. Hence the user gets an obscure username and a password with umpteen requirements (over 7 characters, under 12 characters, containing an exclamation point a capital letter, a kanji character and a farting sound) which will be changed on a bi monthly basis. The user then has to answer seven different security questions with no particular fixed answer. There's no sane way to deal with that mindset, write the password down somewhere and try not to keep anything valuable in it or just email yourself a copy of the username, password and security question answers then touch wood, throw salt over your left shoulder and hope for the best.
If username and password policies were standardised then users would have a chance. Of course email address as username would be too convenient and easy. You have to guess a variant of the three or four names you usually try. "rgclegg is unavailable, have you considered rgclegg_132" (yes, I'll be sure to remember that for your obscure pointless site). If password requirements were standard you could make up a little rule. First letter of second part of site URL then d4v3h8sU! then last letter of third part of URL... you can remember the password for any unimportant site and unless someone cottons the trick you don't lose all security if one password turns out to have been entered into the forums for l33thaxors.org bulletin board. Try this and you'll find the passwords rejected for being too long, too short or upside down on at least 50% of sites.
So, anyone got a good system for passwords?