Latest Story

Too Many Secrets

September 13, 2010

Too Many Secrets

From a-la-peanut butter sandwiches and open sesame to this:

  • Must contain at least three of the following four items: lowercase letters (a-z), uppercase letters (A-Z), digits (0-9), and symbols (`!#$%^&*()_+-\{\}|:;’?,/)
  • Must be between 8 and 32 characters in length
  • May not begin with a letter

- chances are you’ve been keeping secrets your whole life.   By secrets, I mean those combination’s of words, phrases, numbers, and symbols that are woven into almost everything we do online:  passwords.

On any given day, I have to provide at least 10 different passwords to get into various networks and websites.  I type in some of those passwords about 10 to 15 times a day.  Daily passwords are pretty easy to remember.  I could type them in blind folded. The real challenge is remembering the passwords I don’t use on a daily basis.

I have a system that used to make it pretty easy for me to remember passwords.  But,  password requirements have become increasingly complex so my system has become more complex to keep up with those requirements.  Plus, my system has to change from site to site because different sites have different requirements. Whats more, some sites require that I change my password on a regular basis. Consequently, it’s no longer easy for me to remember all of my passwords.

I’m left with a few different options.

  1. I can stop using online sites that require passwords
  2. I can write them down
  3. I can store them in third party software on my phone or computer

Choice number 1 is not very practical.  Choice number 2 is tough because I don’t carry around a pad and paper, and I would just loose the pad and paper if I did decide to carry them around. So, I’m left with number 3.

Storing my passwords in third party software is definitely not an ideal solution.  It makes the device on which I store all my passwords extremely valuable.  If I loose the device or the device breaks, I’m in trouble.  If my passwords are stored on my phone, and I loose my phone, I’ll need to go through the process of changing all of my passwords.   The passwords I store on my computer or phone are only as safe as the device that I use to store them and the single password I use to access the device and my stored passwords.

Complexity <> Security

Rather than increasing the security of online banking, complex passwords make online banking sites less secure.  Password requirements have become so complex that you have to store them someplace other than your memory  – thus becoming less secure than a significantly less complex password.  Practical usability is sacrificed in the name of password security. Online Banking sites put a huge premium on password strength, but there are more pressing online security concerns that don’t really hinge on the strength of your password.

Don Norman, a professor at Northwestern University asserts:

“Although there is much emphasis on password security, most break-ins occur through other means. Thieves usually don’t break into systems using brute force. They phish, luring unsuspecting but helpful people to tell them their login name and password. Or they install sniffers on keyboards and record everything that was typed. A password’s strength is irrelevant if the thief already possesses it.”

Strict and complex rules  do make it harder to guess passwords. However, password guessing can be eliminated with simple rules like requiring that a password contains letters and numbers and freezing an account after too many invalid attempts.

The complexity of your password is not relevant if there is malicious software on your computer recording your keystrokes.  Your password could be 100 characters long, but key logging software would still record your password and send it along to thieves waiting to use it.

A recent article in the New York times stated the following:

“Keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords,” says Cormac Herley, a principal researcher at Microsoft Research who specializes in security-related topics. He said antivirus software could detect and block many kinds of keyloggers, but “there’s no guarantee that it gets everything.”

Some of the most trafficked sites in the world have fairly simple password requirements.  Paypal only requires that you enter an 8 character password.  That’s it! You don’t have to mix letters and numbers, and you don’t have to include any special symbols – just make it 8 characters in length.  Clearly Paypal decided that usability is important and password strength is not all that important.

What to Do?

It’s clear that traditional online banking authentication methods, regardless of password complexity, are not the best way to secure access to your financial information.  Keyloggers, phishing, and password complexity itself, have made passwords fairly vulnerable.  Fortunately, there are some options that help secure online banking without unnecessarily sacrificing usability.

ING Direct only requires a 4 digit numeric password, but you don’t type it in with the number keys on your keyboard.  Rather, you use your mouse to click numbers on a virtual keypad. Using this method to collect your password significantly decreases the ability of Keyloggers to steal your password.

Other innovative solutions don’t ask for passwords at all. Rather than ask for a password, Confident Technologies ImageShield product asks you to remember categories and identify pictures associated with those categories.

Confident ImageShield

A new solution named Pass Window provides two way authentication utilizing an out of band token.

In this case, the out of band token is a card (possibly your debit card), with a small window on it.  Peering through the window allows the user to unscramble characters displayed on the screen.  The user then types the unscrambled code and is logged in .  The Pass Window is unique to each user so only the Pass Window for that specific account can unscramble the characters on the screen.

The user knows they have the correct site because their Pass Window correctly unscrambles the code. The financial institution can safely authenticate the user because they provided the unscrambled code.

Clearly online fraud is a problem.  The FBI reports that there was a 22% increase in reported online fraud last year. Still, increased online banking security does not have to result in reduced usability.  In some cases, reduced usability actually reduces online banking security (e.g. overly complex passwords).

As financial institutions struggle to keep ahead of online criminals, they need to remember to keep  a sensible balance between usability and security.  “Because when security gets in the way, sensible, well-meaning, dedicated people develop hacks and workarounds to defeat it. Hence the prevalence of doors propped open by bricks and wastebaskets; passwords pasted on the fronts of monitors or hidden under the keyboard or in the drawer; house keys under the door mat, above the door frame, or under fake rocks that can be purchased for this purpose.” – Don Norman, Interactions Magazine, When Security Gets in the Way

That wasn’t me was it?

September 8, 2010
That wasn’t me was it?

Facebook is rolling out a feature that lets users log themselves out of their Facebook sessions remotely.  If you log into Facebook on a friend’s computer or phone, but forgot to log out, you can end that session remotely from a different device.  This is an important feature because once you log in to...
Read more »

ING is Finally Opening Some Branches

September 1, 2010

At least that’s the subject of an email I received from ING this week. The actual email subject read “We’re finally opening branches – in your pocket.” Ironically, I read this email on my phone and, due to limited screen space, I only read “We’re finally opening branches.” I normally don’t open the emails...
Read more »

Help Save Main Street with Cogster

August 23, 2010
Help Save Main Street with Cogster

When I lived in Idaho, controversy followed big businesses that wanted to build new stores on the outskirts of town. Its not that people didn’t want the benefits of the new store, they just weren’t sure they wanted those benefits at the cost of local businesses on Main St.  Cogster is a Groupon meats...
Read more »

Google Voice Actions: Novelty or The Next Logical Step in Banking?

August 16, 2010
Google Voice Actions: Novelty or The Next Logical Step in Banking?

My Google G1 phone has supported voice actions for quite a while.  I tell my phone to search for a UPS shipping site, and it brings up a list of places that ship UPS in my area.  I tell my phone to call Andy and it dials my brother. The latest version of Android...
Read more »

Can Financial Institutions be a Third Place?

August 12, 2010
Can Financial Institutions be a Third Place?

Starbucks recently started offering free, no registration required, wifi at all their locations.  That interests me because I made full use of Starbucks Wifi during my recent vacation that turned into a workacation.  I didn’t have to pay, but would have paid if necessary. Starbucks knows I would pay for access, but they don’t...
Read more »


  • 2011 (14)
  • 2010 (48)
  • 2009 (39)