Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Passwords for bank sites - change or not?

Reply
Thread Tools

Passwords for bank sites - change or not?

 
 
Jim Watt
Guest
Posts: n/a
 
      05-22-2006
On Mon, 22 May 2006 02:54:35 +0200, Sheik Yurbhuti
<(E-Mail Removed)> wrote:

>You wouldn't have to divulge any "State Secrets" to give a general
>answer to the question


But it would involve publishing a secret which is better kept.

>The simple fact of the matter is, be it an encrypted file, password
>manager, PDA, little black book, whatever; you are using some method
>to store and recall the "nearly a hundred" passwords you claim to have
>to keep track of.


None of those as I have already said.

>This means that periodic changes wouldn't be the "severe problem" you
>claim it is because you're not remembering them anyway.


You miss the point.


>> and there are people in security groups who are a bit thick and
>> waste space signing postings with PGP pointlessly.

>
>Do you always morph into a childish netcop wannabe when you lose a
>debate Jim, or am I singularly blessed by this completely juvenile side
>of your personality?


I don't consider the argument lost, just time wasted replying to an
idiot. Quite why you feel the need to cryptographically sign
a posting here when its not ever going to need to be proven to be
yours and you don't show an email address to get your public key
suggests you lack a clue about the use of PGP signing.

--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
 
Jim Watt
Guest
Posts: n/a
 
      05-22-2006
On 22 May 2006 01:05:20 GMT, "nemo_outis" <(E-Mail Removed)> wrote:

>Whatever scheme is used to record passwords/passphrases once their number
>and complexity exceeds human memory, it is important, at least in the US,
>to ensure that the "gateway" to those stored/written/recorded passwords
>depends, at least in part, on a password committed to memory.


Thats a good point, analagous to the PGP keyring passphrase, for which
I see there are now progams to 'recover'.

All my sensitive passwords are memorised, and I find using them
regularly they are easy enough to remember, those that are not can
be recovered by some means or another and the bank ones are in
a psion organiser in a password protected file.

However the challenge is coming up with a scheme for associating
passwords with usernames on the large number of trvial systems one
needs to generate passwords for, like other peoples routers and
servers without re-using passwords.

The case of Gary McKinnon is worrying where the US claim a
brit with a 56k modem compromised the entire defense infrastructure
and the UK Government seem to be willing to turn him over.

Quite what a real enemy with a team of dedicated people and
broadband might do is open to speculation.

Not sure where I might stand on this as unlike the UK there is
currently no domestic law on computer missuse. However I
have no interest in area 51 or a trip to cuba.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
 
Squirrel
Guest
Posts: n/a
 
      05-22-2006
Gualtier Malde wrote:

> Is the password change a necessity or is it perhaps making up
> for lazy security measures?



Gene Spafford has a wonderful essay on password change and other best
practices at http://www.cerias.purdue.edu/weblogs...neral/post-30/.

My answer is that the benefit of password change is directly related to your
threat model. If you don't have a model that shows password change is
beneficial, it's hard to argue that "best practice" requires it.

I can't think of a model where every-30 day or longer password change makes
sense. I can think of a lot of models where one time passwords or other
controls do make sense.

What's the model that supports an every-30 day policy?




 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      05-22-2006
Squirrel <(E-Mail Removed)> wrote in
news:Mkrcg.27272$4H.18689@dukeread03:

> Gualtier Malde wrote:
>
>> Is the password change a necessity or is it perhaps making up
>> for lazy security measures?

>
>
> Gene Spafford has a wonderful essay on password change and other best
> practices at
> http://www.cerias.purdue.edu/weblogs...neral/post-30/.
>
> My answer is that the benefit of password change is directly related
> to your threat model. If you don't have a model that shows password
> change is beneficial, it's hard to argue that "best practice" requires
> it.
>
> I can't think of a model where every-30 day or longer password change
> makes sense. I can think of a lot of models where one time passwords
> or other controls do make sense.
>
> What's the model that supports an every-30 day policy?



Your point about threat model is valid. But I suggest a more pointed
question to ask is, "Whose threat model - the customer's or the bank's?"

Baks are interested in doing just enough to not leave themselves exposed to
suits, etc. Anything beyond that, especially if it might annoy or alienate
or just confuse some customers, while provding no incremental benefit to
the bank, is wasted effort. And providing the ability to change passwords
mostly falls into exactly that "no benefit to the bank" category. Indeed,
additional support for forgotten passwords, stale passwords, locked-out
unhappy customers, etc. would be a significant deterrent to a bank
providing such a change-your-password option, especially in mandatory form.

Regards,

 
Reply With Quote
 
Squirrel
Guest
Posts: n/a
 
      05-23-2006
nemo_outis wrote:

> Squirrel <(E-Mail Removed)> wrote in
> news:Mkrcg.27272$4H.18689@dukeread03:
>
>> Gualtier Malde wrote:
>>
>>> Is the password change a necessity or is it perhaps making up
>>> for lazy security measures?

>>
>>
>> Gene Spafford has a wonderful essay on password change and other best
>> practices at
>> http://www.cerias.purdue.edu/weblogs...neral/post-30/.
>>
>> My answer is that the benefit of password change is directly related
>> to your threat model. If you don't have a model that shows password


> Your point about threat model is valid. But I suggest a more pointed
> question to ask is, "Whose threat model - the customer's or the bank's?"
>


Once again, what threat model supports a every-30 day policy? Please be
precise.

> Baks are interested in doing just enough to not leave themselves exposed
> to
> suits, etc. Anything beyond that, especially if it might annoy or
> alienate or just confuse some customers, while provding no incremental
> benefit to


Have you read http://www.occ.gov/ftp/bulletin/2005-35.txt? And the
referenced http://www.ffiec.gov/pdf/authentication_guidance.pdf? The times,
they are a changin'. And not just authentication, back end anti-fraud
systems, also.

Face it, passwords have been dead for years, no matter what the change
requirements were. Now people are waking up to the stench, and seeking
better authentication methods. Even banks.

 
Reply With Quote
 
nemo_outis
Guest
Posts: n/a
 
      05-23-2006
Squirrel <(E-Mail Removed)> wrote in
news:Khucg.27292$4H.17323@dukeread03:

>> Your point about threat model is valid. But I suggest a more pointed
>> question to ask is, "Whose threat model - the customer's or the
>> bank's?"
>>

>
> Once again, what threat model supports a every-30 day policy? Please
> be precise.



Not what but whose. And as who is broad and various, so will the answers
be. To seek precison, or rather an illusion of precision, in such
circumstances is folly.



>> Baks are interested in doing just enough to not leave themselves
>> exposed to
>> suits, etc. Anything beyond that, especially if it might annoy or
>> alienate or just confuse some customers, while provding no
>> incremental benefit to

>
> Have you read http://www.occ.gov/ftp/bulletin/2005-35.txt? And the
> referenced http://www.ffiec.gov/pdf/authentication_guidance.pdf? The
> times, they are a changin'. And not just authentication, back end
> anti-fraud systems, also.



I have read both - they are non-binding urgings laced with sonorous but
empty platitudes. Until banks are compelled by legislation, the costs of
suits, or the demands of customers, there is little incentive for them to
spend money and take on added support for security measures that do not
directly benefit them. And right now, for every customer that would
welcome being forced to use strong passwords and change them regularly
there are a dozen who would resent it, be confused by it, or simply bungle
it. If I were on a bank's board of directors, I wouldn't be in the van of
any movement to implement such security measures - my motto would be "After
you, my dear Alphonse!".

Regards,



 
Reply With Quote
 
TwistyCreek
Guest
Posts: n/a
 
      05-23-2006
Squirrel wrote:

> Once again, what threat model supports a every-30 day policy? Please be
> precise.


Any threat model that includes a personnel rotation in that time period,
for one.

I briefly worked for a "contract engineering" firm. Like Kelly Girls
only for high end techs and such. They sent sometimes dozens of IT and
Quality personnel into temp working environments, a lot of them
built around government contracts.

If the permanent or incoming (sometimes we were it) sysadmins weren't
rotating ALL passwords with every rotation of these temps they were
complete fools. And a typical contract was 30 to 90 days. Nobody stayed on
past rotation unless the customer picked them up as an employee. It was in
the contract.

> Have you read http://www.occ.gov/ftp/bulletin/2005-35.txt? And the
> referenced http://www.ffiec.gov/pdf/authentication_guidance.pdf? The
> times, they are a changin'. And not just authentication, back end
> anti-fraud systems, also.
>
> Face it, passwords have been dead for years, no matter what the change


That may be true. But they're still the most popular method of auth for a
whole slew of different scenarios. Not dead at all, but possibly over the
hill and should be.

All the more reason to be overly cautious and protective of password
access, I'd say.

> requirements were. Now people are waking up to the stench, and seeking
> better authentication methods. Even banks.


 
Reply With Quote
 
Borked Pseudo Mailed
Guest
Posts: n/a
 
      05-23-2006
TwistyCreek wrote:

> Squirrel wrote:
>
>> Once again, what threat model supports a every-30 day policy? Please be
>> precise.

>
> Any threat model that includes a personnel rotation in that time period,
> for one.
>
> I briefly worked for a "contract engineering" firm. Like Kelly Girls only


<SNIP>

Good one. How about this, I use to work in a machine shop that farmed out
certain preventative maintenance jobs to an outside firm. Cheaper I guess
than having someone in house do it because it had to be done at night
while machines were shut down. Plus the computer guys gaves a great deal
that included some new equipment. A lot of it required some admin access,
even to servers. Servers storing prints and a lot of trade secret type
stuff. We changed some of our passwords every 2 weeks because if they had
been found out and misused by the outsiders it could have been a total
disaster. Every other Friday morning they changed because every other
Thursday night we were owned.

We did use weak passwords a lot though, and ifg someone had really wanted
us they could have done it anyway, so I don't know really how much this
applies. It does show that there can be more situations where regular
changes are helpful or necessary though.

 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      05-23-2006
On Mon, 22 May 2006 22:20:32 -0400, Squirrel
<(E-Mail Removed)> wrote:

>Face it, passwords have been dead for years, no matter what the change
>requirements were. Now people are waking up to the stench, and seeking
>better authentication methods. Even banks.


As I've been saying here, none of the banking systems I've seen rely
on a simple password, because they already know its not sufficient to
secure the business.

Passwords alone are good for some things, but banking is not one.

Providing the other 'things' are good, enforcing changing passwords
and making them cryptic can be more trouble than its worth.
--
Jim Watt
http://www.gibnet.com
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
salary at Chevy Chase Bank and PNC Bank Richard Pearrell Computer Support 2 07-27-2006 03:06 AM
FF won't save passwords for some sites? default Firefox 3 09-23-2005 07:29 PM
Forcing password manager to save usernames/passwords for secure sites Jim Firefox 1 05-08-2005 12:04 PM
Re: Bank of America or any Bank mchiper Computer Security 4 09-13-2003 09:01 AM



Advertisments