Amen brudder!
... that is all!
Dear Mr Dabbs. Thank you for your business. Please see invoice enclosed. This doesn’t bode well: I am not the sort of person who is able to make private purchases on account. As much as I’d love to swan into a shop, point at various things and drawl “Send them over, will you, darlings?” as I saunter off into a waiting limo, …
"The real issue with a lot of these password rules, especially the frequent change rules, is that they encourage people to write their passwords down on paper or into an unencrypted file."
Yep...After the 15th time of being asked to change my passwords for a fairly basic admin system I just couldn't figure out what greater than 6 character string with at least one uppercase, one lower case, one special character and one number in it I could remember I simply mashed the keyboard with my palm and wrote down the result on a post it note attached to my monitor.
My reasoning is that this system in no way needs a password, it certainly doesn't need to be this secure, and the alarm, locks and deadbolts on the doors and windows in the office are probably more secure against attack than my PC is.
"If the place where you keep the paper is secure, then that's a pretty good way of storing a password."
This.
Physical security trumps digital security, in an office environment not so good, but ideal for home use.
Obfuscate or salt them simply if you like, to avoid casual theft.
Let's take Llonnygog's Law to its logical extreme to see how it holds up: for 15 years during the Cold War, the code meant to prevent unauthorized launching of the United States' arsenal of Minuteman nuclear missiles was apparently "00000000". Yep, Llonnygog's Law holds up pretty well!
My electricity provider's website is the worst. I have to log in to it once every three months to pay my electricity bill. Its password rules are arcane and impenetrable, and inevitably wind up with me having a password that is impossible to remember when you only use it every three months.
I usually deal with this situation by typing random rubbish in as a password, then hitting the "I forgot my password" button next time I need to log in. But they've cunningly found a way of thwarting this method. When I signed up, I had to also choose a "memorable word." Seriously. Pick a word that's memorable, that you won't have forgotten in three months time when you come to log in next.
The end result is, of course, that I don't log in, I call them and pay over the phone. I wonder how many people ever manage to pay their bill through the website.
The other "security" function is that these dumb sites force you to record a memorable place, date and name. All in the interest of security of course. Anybody sane in security (can't be many left) knows that this usually leads to a less secure system than a more secure one.
And as for "Verified by Visa" (or the equivalent for MC), I have never, ever, entered my password correctly on that. Every time I click "Forgotten Password", enter some trivial details, enter another junk password that I'll never remember and that's it. Does this aid security in any way? No
Verified by VISA is truly craptastic.
Although, to be fair to it, there is one mildly useful security feature. It shows me a password, that supposedly only VISA know. So I know that the vendor have connected to VISA's servers. However, given the piss-poorety of the design of that, I'm sure that's probably printed in large flashing letters on top of their building, along with my credit card number and d.o.b. whenever I use the 'serivce'.
My bank insist on knowing the answers to 5 security questions, a random one of which is asked alongside the Verified by VISA password. The problem is I can't actually answer a couple of them - e.g. Q. What was the name of your first pet? A. I've never had a pet so wtf am I supposed to say?
The last time I phoned them the computer asked me for the position of two letters in my password - only the two letters it asked for aren't in my password! Or the password I used before the current one, or any password I remember. Fortunately it eventually let me though to a human who confirmed it was wrong.
"Q. What was the name of your first pet?"
My first pet was called Bob and that triggered "pet name too short".
" A. I've never had a pet so wtf am I supposed to say?"
The questions can be too Yankified as well. They seem to have a fascination with memories of school days that simply doesn't exist for me.
I recently set up an online account over the phone with an institution I'd never dealt with previously. They asked me a number of verification questions, including an either-or for which both options were wrong. Which was actually the point. A fraudster would make a 50-50 bluff and then call back later and try the other option if he got it wrong, whereas the real account holder would know the correct answer and say 'neither'.
I agree that pre-defined verification questions are terrible. The most likely person to attempt to fraudulently access any website under my name is my ex-wife (again) and she knows all the answers to the usual questions. Much better to let me write-in a question with a non-obvious answer.
@Nick Ryan The thing with set questions like those is that you are in charge of what you put for an answer. Memorable place? Potato. Memorable date? Pluto. I've similarly ignored answering truthfully to standard questions for a while to throw off anyone that might be capable of guessing the answer to security questions.
I just answer 'fuckyou' for the answer to every one. If it won't let you, be creative with your swear words. You get the added benefit, that if asked for them on the phone by some annoying customer service monkey you get to say 'fuckyou' to them.
1) what the fuck business to they have knowing these personal details. More info on me you can sell.
2) the very nature of the questions are EXACTLY the kinda thing you'll find the answer to on facepuke in 30 seconds.
There's the other twist to this, like google/yahoo do when you sign in to mail sometimes:
'in order to make your mail more secure and aid you recovering if you forget your password, please tell us your mobile phone number'
ah.. yeh my mobile number.. cause that's a nice bit of info there for you to sell eh. Not the colour of my eyes or how many fingers I have... no.. my mobile number, so you can flog it to the PIP scammers. fuck you. fuck you all.
"And as for "Verified by Visa" (or the equivalent for MC), I have never, ever, entered my password correctly on that. Every time I click "Forgotten Password", enter some trivial details, enter another junk password that I'll never remember and that's it."
I did that a couple of times, until I found that they accepted "shitvisa666".... Not forgotten it once since.
My bank's clientèle must have moaned a lot about the extra hassle of VbV, at least that's the best theory I can come up with, because a month or two after rollout, the password prompt was binned. Now there's just a few seconds' wait and a throbber while the vendor/PSP site contacts the bank, then it's job done.
Or it could be the vendors themselves, having gotten their ears bent with all too much "What the hell's this, I already put my card number in!" etc. Either way, if true it amounts to a damning indictment of my fellow patrons (not to mention majority shareholders, hint hint) of the bank in question.
Other, more charitable theories welcome.
I encountered that problem 3 years ago when I tried to pay my (ill in hospital) Mother's phone bill, we were both with Virgin Media. They wouldn't accept my encyclopaedic knowledge of her and her account details. Eventually I drove 100 miles to her house and made the phone call from her phone, thus 'proving' my bona-fides and obtaining details for making a direct transfer from my bank account. I'm surprised that they didn't accuse me of being a burglar who'd broken into her house.
And that is the failure on online, paperless billing. If you become ill and someone needs to pick up the pieces for you, well, good luck. They're probably not going to even know what bills are coming in, let alone being able to get them paid for you. I had to do this for an unrelated friend. If her billing had been electronic rather than on paper she would have been confronted with all manner of late fees, collection threats and service terminations after her hospitialization.
Around here, major banks are doing a bit of community service, and are providing website authentication services on very amicable terms. Authorization tokens from the online banks are accepted by most utilities and e-tailers.
Bank credentials have to be guarded with utmost care, obviously, but the password hell is neatly avoided.
Tokens seem like a good idea until you get the new HSBC calculator-style one for Australia.
Step 1) Turn on device with (stupid finger breaking) key press combination
Step 2) Enter PIN to activate device (!!!)
Step 3) Enter last eight digits of your account number (!!!)
If suitably annoyed, add:
Step 4) Run over device repeatedly with car before closing account.
Haha. My bank sends out a one-time-code-generating fob to use when logging in to internet banking. Each time you login, you put your PIN into the fob and it spits back a login code. It's great.
But... somehow they IMPROVE on the security of this scheme by also asking what the make and model of my first car is.
That reminds me of the beef I have with the Google authenticator and OTP devices in general: it may have escaped the people who designed this that we're not using ATMs but genuine computer thingies with lots of keys.
Why the f*ck do I have to type in 6 digits if you can get more variations out of 4 alphanum characters, even if I remove the ones that could be confused such as 1 and l? Hello? Forgot that we actually enterd the twentyFIRST century?
On the plus side, that is an example of an OTP that works, even if it is bound to time instead of a challenge-response approach, so well done Google (for once)...
I don't care about my eBay password being stolen, my acount wasn't raided, the complex password isn't being used elsewhere and I've changed it now. What I care about is the time it took eBay to tell me it had been swiped, therefore increasing the exposure of my account being used fraudulently, but most importantly, they've let some scumbag have my name, address, phone, D.O.B and probably other info too!! Just about all they need to impersonate me for fanancial gain.
Authorities should fine them a very large ammount and put it in a fund to help fraud victims who have lost personal info from their eBay accounts for the next few years.
I'd like ANYONE to tell me why you'd ever store customers personal info in an unencrypted form like eBay did (and a lot of others probably do).
Oh I can do that. It's cheaper.
Just like it's amazing the number of companies where helpdesk/tech support can see your password on their screen when you phone up. Because basic security is just too much effort.
That's a bit like BT's pisspoor excuse for a security announcement about the hack of btinternet.com.
We have a very old company email addy on there, that's still used. When it's not drowning in spam from other btinternet addresses. They forced a password reset. Didn't email us to say they were doing it, just invalidated the password on their pop server, and waited for us to guess.
Nothing on the service status on bt.com either. That service is always up, they only occasionally post a problem when it covers one exchange and after it's solved.
Great. I reset the password. But remember something I'd seen on El Reg. It was of course the bloody password reset database that had been hacked.
Surprise! Surprise! We had to reset the password the next day. Again no error message, or warning email / letter. This time I changed the security details.
At least this vindicates my policy of always lying on security questions! This email was set up ten years before I joined the company.
I found out about the eBay leak from the Beeb, and changed my password to something new and horrible when I got home. A week letter (yesterday), I get an email from eBay saying they'd been hacked and I should change my password. This wasn't another, newer hack, but the original one - the one the media had been having a field day over, with eBay keeping firmly schtum throughout. I'd like to say better late than never, but I think that would be a load of balls....
I've not heard of that mobile scam before. I wonder how they allow their tills to ship out phones on credit like that? It's just asking for trouble.
Reminds me of my temping days in the mobile industry.
I was working for an insurance company, doing mobilie insurance at £5-15 a month, for a chain of shops. Bronze, silver and gold. I'd bene there a mere week, when they sacked the person who processed credit card transactions. So I got that job. As a temp. With private access to the credit card terminal and about 10,000 files with people's card numbers and addresses on. Nothing I did was ever checked. Plus tens of thousands of other files with the direct debits and all the banking info.
After two weeks I noticed that they'd fucked up, and were only renewing the Direct debit after a year on Gold subscriptions. Even though the contracts were for at least 2 years. They rewarded me for this act of genius on my £6 an hour temp heaven by saying thanks, and sacking me 2 weeks later. I think at that time there payment processing team entirely staffed by temps was down from 6 to 2. So I dread to think what state it was in. We saw our manager about twice a day.
However, we were so well run that we had the trust of the banks. We were allowed to process Direct Debits without presenting any evidence to the bank. We maintained our signed copy of the Direct Debit mandate, the bank never checked them. And obviously we had nothing to check the signature against, even though it was often in a different coloured pen (for some reason). I used to get a call from the banks' call centres every couple of hours, with a customer querying a payment on their other line. Sometimes just because we weren't called the same as the mobile company, but mostly because the salesman had filled out the insurance agreement after the customer had left, to meet his bonus targets.
Then I got one of the funniest documents I've seen in my working career. Internal audit had audited one of the stores. And posted it to the separate company who ran their insurance, rather than their own head office. Top work there chaps! The shop hadn't counted their Pay&Go top up cards (back when they were scratch card things in cellophane). Or done a stock take of any kind. In over 2 years. Apparently the staff would take a handful of them whenever they went down the pub, and sell them cheap for beer money. Probably a few handsets as well.
There were several signed, but un-processed, customer direct debit mandates for contracts and insurance. Some from months ago. With all the good details on. Some were on the side by the till, in the actual shop, on open display. Others were in the kitchen and break room. Some had made it as far as the office. The kitchen hadn't been cleaned in ages. There was rotting food in the fridge and on the work surfaces.
The report conclusion: Above average. 75%!
After being dumped, at 4 o'clock on a Friday afternoon, thanks for helping the temp get a post for next week old chaps, I think I only did one more temp job before getting something permanent, and none since. So I have just over a month of experience in the mobile phone industry (from the late 90s), and it doesn't seem that much has changed.
I once managed to get my landlady to pay for a course I was taking. The school called me to chase payment, which was in installments by direct debit. I knew I had my bank account details written down on a piece of paper somewhere on my desk, so I scouted about until I found a bank account number on my desk. Unfortunately, my landlady had an account at the same bank and what I'd found were her details.
I rattled these off to the school, who passed them on to the bank, who dutifully started transferring money out of her account, despite the name on the account being 100% wrong.
It was only three months (and three payments) later that my landlady noticed these payments on her account statement. She queried it with the bank, who queried it with the school, who queried it with me. Both the bank and I had very red faces.
This post has been deleted by its author
I signed up on one site which required the usual additional security:
Where were you born?
What was the name of your first school?
What was your mother's maiden name?
Fair enough except for the following paragraph:
You MUST ensure your answers are unique to this site!
Bit difficult without the aid of time travel to change those answers.
It is also nice to get birthday wishes every month.,
I've picked one new birthday, so I can actually remember my fake d.o.b. Rather than just picking randomly as I did before.
Except for restaurant mailing list sign-ups. Those have to be carefully picked, so you get nice vouchers, spread around when they're useful. So a couple of them are near my actual birthday. Though sadly the last one to regularly remember my birthday have closed down their branch here. So no more birthday tapas for me.
A very similar thing happened to me with Vodafone. To be fair, their security system worked reasonably well. Two days after the HTC One M8 was released, I got a text message telling me that one was ordered and on its way soon. Great! Except that I hadn't ordered one.
So I log into my account to find out that someone has logged in, ordered a phone in my name, but changed my address to one in Purfleet in Essex. I fortunately got the order cancelled and got my account reset.
However, I then had the hassle of creating a new account, mating it to my phone and then found out that Vodafone had helpfully reset my content control settings, so I was blocked from putting on a cheeky bet on the Grand National. Grrr.
This happened just before the Heartbleed saga kicked off, but I think that it's more likely that a rogue employee fancied himself a shiny new phone and picked some details at random to "borrow"
In this most recent instance, they had a record of the specific shop that the mobile handsets had been picked up from, along with the date, my address and an unusual variation on my full name. The customer services man was polite and reassuring that I had nothing to worry about but also very firm in refusing to provide me with any more details about what had happened.
Mr Tickle has been involved with Rolf Harris!!!? I thought it was that nice man off of Dad's Army! I'm never buying a Mr Bump themed bandage EVER again!
Friday Note to El-Reg Footer Writers: Go to the pub. even the f**king writers don't read your sh1t!
... Once up on a time, many, many years ago - when this place had fewer readers than journalists ... anyway ;-) ... reading all the way to the very bottom of articles was rewarded with a T-Shirt. Not that I ever read to the very bottom of any articles to have won any T-Shirts ...
;-)
Yes, and I can see now just how stressful life as an El-Reg Footer Writer is ...
... so there was me, giving one of the finest examples of your work the bigun ... and you prove just how stressed you are, by completely forgetting you'd done it!
Next you'll find yourself down the pub, winding down after another exhausting day at the El-Reg Footer Writing coal face, only to accidentally let slip your user name and password ... and before you know it Mr Cullen and CabbageBoy will have been dragged away for aiding and abetting identity fraud!
Friday Note to El-Reg Management: Shorter working hours for El-Reg Footer Writers is a must!
;-)
What's wrong with the likes of e-bay, Amazon, or banks generating a certificate to allow access when you first open an account, which the browser stores, and from then on no need for passwords at all because your browser offers up the certificate when you go to the website.
Then there's the problem of getting in when you've deleted your certificate or got another computer, which could be solved by auto-generating a 50 character password (hashed and salted of course) and telling the owner to print it out and file it away with other important papers. Just making people treat something in the same way as other important things usually means they end up taking it seriously.
Just about anything is an improvement on letting people using simple passwords because they can't be bothered to remember complicated ones or allowing any computer in the world infinite attempts to guess your password and get at your money or enough of your info to steal your ID.
Dan 55,
Certificates are too difficult to handle. I can't see the banks wanting to have to support ordinary users installing them manually.
Also I can remember how much hassle it was to get Android to talk to our company proxy, in order to get emails. And the banks are increasingly moving their customers onto mobile devices.
"Certificates are too difficult to handle. I can't see the banks wanting to have to support ordinary users installing them manually."
That's a deficiency of the current implementation.
What we need is a system with decent interfaces which make handling certificates a doddle.
An ass can be a very useful creature to keep, but mind it doesn't munch your carrot-copter.
I have just this week done said, although with a different product.
My experience so far is mixed, not so much with the password manager but with the websites. I set the password manager to use 16 characters, and all four character types.
About half the websites I visited to set a new password wouldn't accept such a complex password.
Password aging is a stupid brute force answer to a subtle problem and only ever inconveniences the legitimate owner of the credentials said passwords 'protect'.
What is needed is more sophistication as to looking at how people *use* their credentials and detecting out-of-band usage. This is not new tech. Credit card companies have been able to do this with remarkably few false hits since the mid eighties to my certain knowledge.
Nor is using one technique to 'secure' credential usage adequate.
The mistake isn't in thinking any software solution is secure, it is in thinking that a password/userid is a person in the first place.
Many years ago, I was working for a company that decided we were to run password crackers/scanners on all the 60,000 or so users.(All that effort when the systems generally, and operating procedures were full of more holes than *Insert name of something here that is known to have lots of holes*)
Cue the mountain of support calls this generated, but there was one that really stood out.
It turned out that the guy had moved to another job in another city (but same company). His old account had been set to redirect all email to his new account, and his old account (which had a crackable password) was still live a year later (due to slack support procedures).
I received an email which read:
"How can you tell me my password, '6inches', is easily guessable? Havee you or any of your staff ever slept with me?"
The company I used to work for forced a new password every few weeks, and the system came up with various excuses why the one you chose wasn't valid. The result was that people gave up and simply used each others' login details until they could be bothered to think of one the machine liked.
The other thing that always makes me roll my eyes is when you're trying to pay a bill over the phone and the payee wants all sorts of security checks. Why they need to know all that when I'm trying to give them money is beyond me. I used to work in a collections office and we didn't care _who_ was paying the account, as long as they were paying with their own money.
I soon discovered that so were any combinations that included what it recognised as names of streets, places, English regions and nearby restaurants. The inclusion of any proper noun, even with substituted numbers for letters, rendered an entire password invalid.
Maybe the programers want to be sure that no password is used by more than one login username?
Just a thought ...
The copy of passport is dead easy, IF the company have not seen your real passport AND got a real signature from you on the photocopy then its not even proof. Here in France you can get free of charge your photocopy notarized. That is a photo copy that is recorded and stamped. Now if the thief were to produce just a photo copy then when the person goes out back to "photocopy" said document they surreptitiously photograph the person or even tell the person they need to do that and then call the police.
If you are silly enough to let Tom, Dick, or Harriet have your docs and walk away with them you deserve your punishment.
Is there not a market for a widespread 2 factor, or just physical authentication service. I would use it.
Give me a key fob (or mobile phone app) with a number changing every minute that I can use on all participating websites. I'd pay £20 a year for the inherent security and lack of password hassle. Blizzard implemented something similar for stopping WoW hacking, but I just want one app for all my authentication.
Its got to be a viable business opportunity.
Given that some browsers autofill the passwords (I DO use this feature on some of the lower security sites, because I am of the opinion that if someone has physical access to my pc, I have bigger problems), and will do so repeatedly even when you're trying to change the stored password [glares at firefox], maybe an expiry of 10 false attempts might be better, possibly with a dire warning when you get down to 3 remaining.
Maybe something along the lines of "You have entered a string of passwords, all identical. You are about to get eaten by a grue"
The idea was originally to protect against offline dictionary attacks - in cases where a hacker manages to get hold of the encrypted/hashed password database (just like the recent eBay case), but you are largely correct in that this fact is now largely overlooked by people who seem to think you can throw a few million password attempts at an online system a) without being noticed and b) in a manageable timeframe.
Though bare in mind that any over-zealous incorrect password account suspending setup can itself be a problem, as a malicious person could use it to lock a legitimate user out
Not too long ago set up a Skype account, using a phrase much like the Shakesperean one mentioned in the article. About 7 words, a sentence but one that only really makes sense to me (well,maybe to others but you wouldn't guess it no matter how well you know me), and with random number/letter substitutions as well as random replacements for spaces. Skype said it was too guessable.
So I went with a sequence of characters that IIRC makes it into the top 10 (and certainly top 20) passwords at least by style. 8 characters, involving upper and lower case letters, numbers and punctuation.. That it's !QAZxsw2 doesn't at ALL matter to Skype, it's perfectly acceptable. Bloody common, but acceptable.
Really, when it comes down to password security, if you close out the account after x tries (and make x reasonably low, eg 100) so that any re-activation has to be done via email or some other contact with "support", then we should be able to use whatever password we want so we can remember it (or just do what I do, reset it every bloody time because I can no longer remember them and resetting them takes less effort!)
No. You are the only person in the entire world who has ever used a password safe.
Had you read a few more comments, you'd've seen other people humblebragging their use of password safes, as several commentators do for every single Reg story that mentions passwords. This is an IT site. Most readers here know about password safes. Some use them, some don't like them, some can't be bothered.
Exactly!
It should be the banks problem - not mine - if they mistakenly think a fraudster is me...
It was ALWAYS about shifting blame to the consumer and NEVER about security.
Shackled by the credit card protection act, they were desperate for a way out - so lets make a system which 'looks' like it adds security, when actually it adds FA security at all.
As El Reg pointed out themselves:
http://www.theregister.co.uk/2010/01/27/3d-insecure/
ANYONE can reset a VbyV when they've nicked yer wallet - all you need are basic details in anyones wallet.
And WTF is with the 3 boxes for letters of your password???? They don't auto-tab to the next one.
I mean FFS, you type one in, then you have to mouse to the next box... and work your way through your password again mentally and work that one out.... click the mouse again... arseholes.
VbA: verified by arseholes.
In a previous life I worked at a place where our CMS, POS and Memberships were all run by one sprawling bit of bought in software. I administered it locally, but any heavy lifting I had to ring the vendor for. The vendor was some 2 bit hashed together outfit, with one dev, one "creative" and a PA.
Best memory from that is being forwarded an unencrypted e-mail from said vendors with an Excel attachment. In the attachment were names, usernames, passwords and account permissions of all the users in plain text.
So I could have happily RDP'd into the CEO's PC, logged in as him and utterly ruined all the financials :) That being just one symptom of the place, I didn't stay past a year...
Brilliant..