Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Passwords for bank sites - change or not?

Reply
Thread Tools

Passwords for bank sites - change or not?

 
 
Sheik Yurbhuti
Guest
Posts: n/a
 
      05-18-2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Jim Watt <(E-Mail Removed)_way> wrote:

> On 18 May 2006 18:22:32 -0000, Sheik Yurbhuti <(E-Mail Removed)>
> wrote:
>
> >> the problem with passwords now start to crop up when you have a
> >> 100 or more different passwords. post in similar thread
> >> http://www.garlic.com/~lynn/2006j.html#28 Password Complexity

> >
> >This is why utilities like password managers exist, where strong
> >encryption and (hopefully) equally strong passwords protect the rest.

>
> Bullshit. If I have to use a 'password manager' to access my bank
> account it means that it has to be installed on every machine I use.


Obviously not. If you're in a position where you have to auth from
multiple locations, ideally your passwords and any management software
shouldn't be installed on *any* of them. If it must reside on some of
them, it should be limited to the bare, necessary, minimum.

If you personally are installing your PM software on every machine
you're using Jim, I submit you've breached yet another tenet of basic
security. And that if you're not routinely rotating your passwords your
methodology is severely flawed.

> >Yes, it's a compromise, but it's preferable to weaker passwords that
> >never change. Much more preferable.

>
> In practice none of the systems I use rely on a simple password, and
> include a good mixture of shared secrets.


You're tap dancing around how you manage to reliably access all these
systems. Care to elucidate.

> >It's also probably irrelevant in the scenario at hand, as the OP
> >didn't appear to have 100's of passwords to worry about. Only three
> >were in question.

>
> I certainly have a hundred or so passwords to remember and
> rrgf84kJ32HJ& is not one of them.


Are you the original poster? No.

If you have "a hundred or so" to remember, and can, it's almost sure bet
your passwords are horribly weak. And even if you are that one in a
billion person who can memorize passwords of sufficient strength to
justify your "no changes" argument, your abilities are meaningless to
the vast majority of mere mortals.

-----BEGIN PGP SIGNATURE-----

iD8DBQFEbNiAno5iexlRIBERAydjAJ98k45yVeIvWYD+pESUdd vFge5vKgCgyI6l
spSOC+s1UaFc5pAZRPo8n4s=
=05zc
-----END PGP SIGNATURE-----

 
Reply With Quote
 
 
 
 
Borked Pseudo Mailed
Guest
Posts: n/a
 
      05-18-2006
Jim Watt wrote:

> On 17 May 2006 21:47:29 -0000, Sheik Yurbhuti <(E-Mail Removed)>
> wrote:
>
>>Jim Watt wrote:
>>
>>> On 17 May 2006 09:55:02 -0700, "Zoned" <(E-Mail Removed)> wrote:
>>>
>>>>The bank that doesnt ask for a password change is the one I would worry
>>>>about.
>>>
>>> It depends. If you have reason to think the password is compromised
>>> then it needs to be changed. Otherwise changing regularly only leads
>>> to confusion and the use of weaker passwords that are easier to
>>> remeber.

>>
>>Any good password management policy will disallow weak passwords to begin
>>with, even ones that don't mandate regular changes. And even if this
>>weren't true, it's not given that forced password changes will lead to
>>any such thing. It's possible, but that's entirely up to the user and no
>>reason what so ever to not implement good password management policies.
>>
>>You're painting the picture with the same fallaciously broad brush every
>>corporate minded shirt on the planet does, and advocating the exact same
>>lackadaisical security policies they are, as a result.
>>
>>Scheduled password changes guard against brute force attacks and unknown
>>compromises. Only changing them when you believe you might have to
>>assumes you can't be owned without it being obvious. A dangerous state of
>>mind in deed, but it sure is "convenient" from the customer's
>>perspective, eh?
>>
>><sigh>
>>
>>Marketing and ease of use taking precedence over common sense and proved
>>security measures. Exactly *why* we have as many notable compromises as
>>we do.

>
> All security is a compromise between making things difficult for the
> unwanted and not making it impractical for legitimate users.
>
> For instance if a bank insisted on a twelve digit password like
> rrgf84kJ32HJ& I would have trouble using their system and changing it
> regularly would be a severe problem.


If you find using pseudo-random passwords and changing them every 6 months
a "severe problem" you have absolutely no business at ALL hanging out in a
security oriented newsgroup handing out advice.

This is one of the dumbest debates I've seen here. Of COURSE changing your
password regularly is a good thing. Only totally clueless newbies or
completely lazy slobs would say otherwise.

> --
> Jim Watt
> http://www.gibnet.com




































 
Reply With Quote
 
 
 
 
Anne & Lynn Wheeler
Guest
Posts: n/a
 
      05-18-2006

Borked Pseudo Mailed <(E-Mail Removed)> writes:
> If you find using pseudo-random passwords and changing them every 6
> months a "severe problem" you have absolutely no business at ALL
> hanging out in a security oriented newsgroup handing out advice.
>
> This is one of the dumbest debates I've seen here. Of COURSE
> changing your password regularly is a good thing. Only totally
> clueless newbies or completely lazy slobs would say otherwise.


i know quite a few people that have on the order of 100 passwords, and
effecitvely only use online banking once a month for bill payment.
remembering a pseudo-random password that you only used once a month
(and possibly is one out of 100) is a non-trivial task. it is also
somewhat difficult to convince such people that they have to change
such password every six uses.

one of the reasons that banking community is looking at moving to
biometrics is that something like 30percent of the population are
reported to write their pin number on their debit card. the knee-jerk
reaction frequently has been that biometrics like fingerprints aren't
very secure.

the counter argument is ... not very secure compared to what? giving a
person the choice of registering one of their fingers that is least
likely to handle the card ... which becomes more difficult for a
crook,

1) to copy a pin written on a lost/stolen card and replay it

or

2) to lift a fingerprint (that isn't very likely to be there) off a
lost/stolen card and replay it

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
 
Reply With Quote
 
Sheik Yurbhuti
Guest
Posts: n/a
 
      05-18-2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Borked Pseudo Mailed <(E-Mail Removed)> wrote:

> This is one of the dumbest debates I've seen here. Of COURSE changing
> your password regularly is a good thing. Only totally clueless
> newbies or completely lazy slobs would say otherwise.


Or perhaps corporate minded "yes men" who buy into the assumption that
ease of use takes precedence to security, even when security can be
greatly improved with minimal inconvenience to customers.

-----BEGIN PGP SIGNATURE-----

iD8DBQFEbObgno5iexlRIBERA0xTAKCmWj45ce6axTbRWPlUKi DaBvrvigCfUSDm
DkBa/ZSl0DbcyaAfrDDWnGw=
=rBJ0
-----END PGP SIGNATURE-----

 
Reply With Quote
 
Borked Pseudo Mailed
Guest
Posts: n/a
 
      05-18-2006
Jim Watt wrote:

> On 18 May 2006 18:22:32 -0000, Sheik Yurbhuti <(E-Mail Removed)>
> wrote:
>
>>> the problem with passwords now start to crop up when you have a 100 or
>>> more different passwords. post in similar thread
>>> http://www.garlic.com/~lynn/2006j.html#28 Password Complexity

>>
>>This is why utilities like password managers exist, where strong
>>encryption and (hopefully) equally strong passwords protect the rest.

>
> Bullshit. If I have to use a 'password manager' to access my bank account
> it means that it has to be installed on every machine I use.


Who the **** said you had to use a manager to access a bank account? If
you only have a couple passwords you should be able to remember them even
if they're secure. That's what Diceware is for, numbnuts.

Gee, I wonder why you have to keep shifting the goal posts in this
argument? Maybe you're full of **** again? What a surprise. NOT!

>
>>Yes, it's a compromise, but it's preferable to weaker passwords that
>>never change. Much more preferable.

>
> In practice none of the systems I use rely on a simple password, and
> include a good mixture of shared secrets.
>
>>It's also probably irrelevant in the scenario at hand, as the OP didn't
>>appear to have 100's of passwords to worry about. Only three were in
>>question.

>
> I certainly have a hundred or so passwords to remember and rrgf84kJ32HJ&
> is not one of them.


And you just remember them all, right?

Lying fukwit.











 
Reply With Quote
 
TwistyCreek
Guest
Posts: n/a
 
      05-19-2006
Anne & Lynn Wheeler wrote:

>
> Borked Pseudo Mailed <(E-Mail Removed)> writes:
>> If you find using pseudo-random passwords and changing them every 6
>> months a "severe problem" you have absolutely no business at ALL hanging
>> out in a security oriented newsgroup handing out advice.
>>
>> This is one of the dumbest debates I've seen here. Of COURSE changing
>> your password regularly is a good thing. Only totally clueless newbies
>> or completely lazy slobs would say otherwise.

>
> i know quite a few people that have on the order of 100 passwords, and
> effecitvely only use online banking once a month for bill payment.
> remembering a pseudo-random password that you only used once a month (and
> possibly is one out of 100) is a non-trivial task. it is also somewhat


That's what I said.

> difficult to convince such people that they have to change such password
> every six uses.


It's not difficult at all. In fact you can force them to do it. And
people only using their online banking once a month would be less likely
to bitch because they're probably not remembering passwords anyway.
They're either writing them down on a sticky note and pasting to
their monitor, or hopefully doing something a little more secure. Someone
who memorized a good password by using it all the time is a LOT more
likely to be annoyed by the change.

Ever have the phone company change your number on you? I have. It SUCKS!
Worse than writing checks for your January round of bills.

>
> one of the reasons that banking community is looking at moving to
> biometrics is that something like 30percent of the population are reported
> to write their pin number on their debit card. the knee-jerk reaction
> frequently has been that biometrics like fingerprints aren't very secure.


They're no more or less secure than anything else if mishandled, or if the
protocols are breakable. That's the big bitch about PIN numbers these
days, not writing them on the card. The hardware that's supposedly secure
is crackable, and whether or not you use a 4 digit PIN, your fingerprint,
or a retinal scan combined with a 100 character random password is
meaningless.

>
> the counter argument is ... not very secure compared to what? giving a
> person the choice of registering one of their fingers that is least likely
> to handle the card ... which becomes more difficult for a crook,
>
> 1) to copy a pin written on a lost/stolen card and replay it
>
> or
>
> 2) to lift a fingerprint (that isn't very likely to be there) off a
> lost/stolen card and replay it


Most biometrics won't fall victim to lifted prints. They need to be
attached to a real live finger. There are some gadgets and gimmicks out
there that claim to simulate live fingers or allow you to use a faked
print on your own finger, but last I knew they were experimental and
unreliable.

 
Reply With Quote
 
Anne & Lynn Wheeler
Guest
Posts: n/a
 
      05-19-2006
TwistyCreek <(E-Mail Removed)> writes:
> They're no more or less secure than anything else if mishandled, or
> if the protocols are breakable. That's the big bitch about PIN
> numbers these days, not writing them on the card. The hardware
> that's supposedly secure is crackable, and whether or not you use a
> 4 digit PIN, your fingerprint, or a retinal scan combined with a 100
> character random password is meaningless.


from the three factor authentication model
http://www.garlic.com/~lynn/subpubkey.html#3factor

* something you have
* something you know
* something you are

the card is a "something you have" and the PIN is "something you
know". the nominal assumption in multi-factor authentication is that
the different factors are subject to different vulnerabilities.

however the well established skimming activity has been able to
harvest magstripe information (static data that supposedly represents
the card, "something you have") and the PIN (static data "something
you know") at the same time (at compromised and/or counterfeit
terminals or devices) ... invalidating assumption about multi-factor
authentication having independent vulnerabilities.
http://www.garlic.com/~lynn/subpubkey.html#harvest

some recent posts about "yes card" and recent chip&pin skimming:
http://www.garlic.com/~lynn/aadsm22.htm#20 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#21 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#23 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#25 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#26 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#34 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#39 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#40 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm22.htm#41 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm23.htm#16 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm23.htm#17 FraudWatch - Chip&Pin, a new tenner (USD10)
http://www.garlic.com/~lynn/aadsm23.htm#19 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#20 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#25 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#26 Petrol firm suspends chip-and-pin
http://www.garlic.com/~lynn/aadsm23.htm#27 Chip-and-Pin terminals were replaced by "repairworkers"?
http://www.garlic.com/~lynn/aadsm23.htm#30 Petrol firm suspends chip-and-pin

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-19-2006
On Thu, 18 May 2006 16:05:02 -0600 (MDT), Borked Pseudo Mailed
<(E-Mail Removed)> wrote:

>Gee, I wonder why you have to keep shifting the goal posts in this
>argument? Maybe you're full of **** again? What a surprise. NOT!


Should I require any ****, I'll contact you further.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-19-2006
On 18 May 2006 20:45:18 -0000, Sheik Yurbhuti <(E-Mail Removed)>
wrote:

>If you personally are installing your PM software on every machine
>you're using Jim, I submit you've breached yet another tenet of basic
>security. And that if you're not routinely rotating your passwords your
>methodology is severely flawed.


Perhaps you need to read what was said more carefully.

I am not advocating the use of 'password managers' at all and
arguing that they are not appropriate as I want to be able to access
things from a wide range of machines.

Good security does not depend on a simple password, and the
actual electronic banking systems I use implement other measures.

what I do object to is systems which insist on changing passwords
where access is not particularly critical and as I do rely on
remembering passwords and have a lot of them which are unique
to the system changes are tedious.

All security is a compromise betwen making things difficult but
still allowing them to be usable. Electronic banking is targeted
at the masses, not known for their caution.

Its certainly about time a standard PC came with a smartcard
reader to add another layer of authentication. However simple
passwords are not enough for anything sensitive.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
Anne & Lynn Wheeler
Guest
Posts: n/a
 
      05-19-2006
Jim Watt <(E-Mail Removed)_way> writes:
> Its certainly about time a standard PC came with a smartcard reader
> to add another layer of authentication. However simple passwords
> are not enough for anything sensitive.


part of the issue is that static data authentication are vulnerable to
skimming/evesdropping/harvesting and replay attacks.

there is issue with just straight-forward hardware token interface.
this is one of the reasons for the EU FINREAD terminal specs.
http://www.garlic.com/~lynn/subpubkey.html#finread

it has been well recognized for a long time that PCs have a large
number of vulnerabilities. FINREAD terminal was to isolate with
relatively high integrity ... 1) the hardware token interface, 2) the
PIN-entry interface, and 3) the display interface (for transaction
authentication, was the value displayed for the transaction being
authenticated, really the value in the transaction being
authenticated).

this was attempt to minimize that a compromised PC (with
virus/trojans) being able to a) skim the PIN, b) perform interactions
with the token w/o the owners knowledge, c) display one set of values
for a transaction but perform a totally different transaction.

the x9a10 financial standards working group had been given the
requirement to preserve the integrity of the financial infrastructure
for all retail payments.
http://www.garlic.com/~lynn/x959.html#x959
http://www.garlic.com/~lynn/subpubkey.html#x959

one of the things done in resulting x9.59 financial standard was that
it provided for the "authenticating" environment for also
authenticating transactions ... i.e. the EU FINREAD standard call for
a special high-integrity terminal ... but w/o the terminal also
authenticating the transaction, there is no proof to the relying party
that a EU FINREAD terminal is being used for the transaction ... aka
the transaction might be done purely from the PC w/o a special
terminal or might be done with a counterfeit terminal. the transaction
is authenticated ... but the environment that the transaction is
performed in is also authenticated.

one of the other things that x9.59 did was recognize that current
infrastructure has overloaded the account number ... it is required to
be exposed for use in a large number of different processes ... but
can be sufficient information for a crook to perform a fraudulent
transaction. x9.59 defined that account numbers used for x9.59
transactions can't also be used in unauthenticated transactions. this
was a recognition that with the large number of business processes
requiring the account number to be exposed ... that even burying the
planet under miles of information hiding crypto ... it would be still
be impossible to prevent account number data breaches and account
number skimming.

there is also the issue that numerous studies have continued to find
that something like 70percent of breaches resulting in various kinds
of identity and account fraud have involved insiders. this somewhat
relates to my old post of security proportional to risk
http://www.garlic.com/~lynn/2001h.html#61

there are also a large variety of man-in-the-middle attacks against
session oriented protocols ... that to eliminate the possibility,
require that transactions are explicitly authenticated, in addition to
any session oriented authentication (aka authentication performed
separately and independent of explicitly authenticated actual
operations).

lots of past posts about exploits, vulnerabilities, attacks, and
fraud
http://www.garlic.com/~lynn/subpubkey.html#fraud

--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
salary at Chevy Chase Bank and PNC Bank Richard Pearrell Computer Support 2 07-27-2006 03:06 AM
FF won't save passwords for some sites? default Firefox 3 09-23-2005 07:29 PM
Forcing password manager to save usernames/passwords for secure sites Jim Firefox 1 05-08-2005 12:04 PM
Re: Bank of America or any Bank mchiper Computer Security 4 09-13-2003 09:01 AM



Advertisments