Wednesday, February 9, 2011

Password Security

To start with, I'm one of those people that tends to be more security conscious than your average Internet user. That I write as much here (and elsewhere) in a public fashion was a conscious choice done after weighing out the likely risks of doing so.

I've long used complex passwords. Typically, I've used ones that were more complex than required of the systems I use. Hell, where possible, I make it so that I either need two-factor authentication or some kind of difficult to reproduce token rather than a brute-forceable password string.

Still, most web sites, applications, etc., rely on passwords. Most sites are less security conscious than I am allowing short, non-complex passwords that never expire. Of the few sites that show any level of security consciousness, it seems half-assed at best. Some sites only enforce, say, six-character passwords or, worse, only allow 6-10 character passwords. Some sites want you to have "complex" passwords, but then limit the choice of characters you can use to create that complexity.

At least one of the financial institutions I do business with falls into this limited-complex camp.

How freaking secure are your "complex" passwords when you don't allow any of ! @ # $ % ^ & * ( ) _ , or . in your passwords???

What's even more annoying about one, particular, financial institution is that they expire their passwords every 45 days. Now, this isn't an institution I deal with on a regular basis. My day-to-day bank allows me to pay all my bills from their portal. This other institution, I only log into when I need some information. So, every time I log in, I have to change my damned password and deal with the fact that they don't allow me to make my passwords as complex as I'd like. Even more fun, they don't allow me to re-use any of the last dozen passwords.While this is good, in theory, given my access frequency, that means it's going to take nearly two years before I can recycle. Now, given that they hamstring me on the passwords I can/would set, it makes memorization of the password even harder. So, pretty much every time I do log in, I have to go through the "I forgot my password" hassle. If they let me set the passwords I wanted, they'd be good against a brute-force attack for a number of years (basically, a cracking tool would have to work through several hundred quadrillion combinations to stumble on my particular combinations). But, no. I'm stuck with passwords that are several orders of magnitude less complex.

No comments:

Post a Comment