«

I regularly check accounts on the web sites of three financial
institutions. One is a Canadian bank, the other a Federal credit union,
and the third a Seattle-based bank.

The first two have never asked me to change passwords over the years,
while the Seattle bank makes me change every few months. It's a
nuisance, but might be more tolerable if I could be reassured that it
were necessary.

The others are heavy hitters, while the bank is fairly small (but
growing). Is the password change a necessity or is it perhaps making up
for lazy security measures?

gm

--
Remove "-nubby-" to correspond.

The bank that doesnt ask for a password change is the one I would worry
about.
regards
Zoned - www.antirootkit.com

Gualtier Malde <> writes:

> The others are heavy hitters, while the bank is fairly small (but
> growing). Is the password change a necessity or is it perhaps making
> up for lazy security measures?

Not regularly changing your password is a lazy security measure on
your own part actually.

The value in regularly changing passwords is that you limit the damage
to an attacker that manages to dump a customer database but hasn't yet
chosen to use what they've found, or has used it in a way not yet
detected to you. It also adds value to a keylogging trojan
situation whereby passwords have been captured from your machine and
relayed to an attacke,r but not yet used or correlated to the account
for which they're used.

Banks want to make online banking easy for consumers--it keeps their
human tellers less busy and keeps support calls down. The heavy
hitters lack of a password change policy enforcement is a calculated
risk. If they were interested in minimizing their liability, and
maximizing your security, they'd implement such a policy. But they
also factor in their cost of providing support to individuals who
forget their passwords, or who only get online once every 3 months.

Best Regards,
--
Todd H.
http://www.toddh.net/

On 17 May 2006 09:55:02 -0700, "Zoned" <> wrote:

>The bank that doesnt ask for a password change is the one I would worry
>about.

It depends. If you have reason to think the password is compromised
then it needs to be changed. Otherwise changing regularly only leads
to confusion and the use of weaker passwords that are easier to
remeber.

AND if you get an email asking you to 'verify your details' it going
to be a scam.
--
Jim Watt
http://www.gibnet.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hash: RIPEMD160

Jim Watt wrote:

> On 17 May 2006 09:55:02 -0700, "Zoned" <> wrote:
>
>>The bank that doesnt ask for a password change is the one I would worry
>>about.
>
> It depends. If you have reason to think the password is compromised then
> it needs to be changed. Otherwise changing regularly only leads to
> confusion and the use of weaker passwords that are easier to remeber.

Any good password management policy will disallow weak passwords to begin
with, even ones that don't mandate regular changes. And even if this
weren't true, it's not given that forced password changes will lead to any
such thing. It's possible, but that's entirely up to the user and no
reason what so ever to not implement good password management policies.

You're painting the picture with the same fallaciously broad brush every
corporate minded shirt on the planet does, and advocating the exact same
lackadaisical security policies they are, as a result.

Scheduled password changes guard against brute force attacks and unknown
compromises. Only changing them when you believe you might have to assumes
you can't be owned without it being obvious. A dangerous state of mind in
deed, but it sure is "convenient" from the customer's perspective, eh?

<sigh>

Marketing and ease of use taking precedence over common sense and proved
security measures. Exactly *why* we have as many notable compromises as we
do.

-----BEGIN PGP SIGNATURE-----

iD8DBQFEa4nvno5iexlRIBERAyguAJ9kGtnNmwI1SrmErqLoIo QZifRjVQCg2yCN
J/bDHBz4wCBnHLy1B+a7Ux0=
=SDlX
-----END PGP SIGNATURE-----

On 17 May 2006 21:47:29 -0000, Sheik Yurbhuti <>
wrote:

>Jim Watt wrote:
>
>> On 17 May 2006 09:55:02 -0700, "Zoned" <> wrote:
>>
>>>The bank that doesnt ask for a password change is the one I would worry
>>>about.
>>
>> It depends. If you have reason to think the password is compromised then
>> it needs to be changed. Otherwise changing regularly only leads to
>> confusion and the use of weaker passwords that are easier to remeber.
>
>Any good password management policy will disallow weak passwords to begin
>with, even ones that don't mandate regular changes. And even if this
>weren't true, it's not given that forced password changes will lead to any
>such thing. It's possible, but that's entirely up to the user and no
>reason what so ever to not implement good password management policies.
>
>You're painting the picture with the same fallaciously broad brush every
>corporate minded shirt on the planet does, and advocating the exact same
>lackadaisical security policies they are, as a result.
>
>Scheduled password changes guard against brute force attacks and unknown
>compromises. Only changing them when you believe you might have to assumes
>you can't be owned without it being obvious. A dangerous state of mind in
>deed, but it sure is "convenient" from the customer's perspective, eh?
>
><sigh>
>
>Marketing and ease of use taking precedence over common sense and proved
>security measures. Exactly *why* we have as many notable compromises as we
>do.

All security is a compromise between making things difficult for the
unwanted and not making it impractical for legitimate users.

For instance if a bank insisted on a twelve digit password like
rrgf84kJ32HJ& I would have trouble using their system and
changing it regularly would be a severe problem.
--
Jim Watt
http://www.gibnet.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Jim Watt <_way> wrote:

> >Any good password management policy will disallow weak passwords to
> >begin with, even ones that don't mandate regular changes. And even
> >if this weren't true, it's not given that forced password changes
> >will lead to any such thing. It's possible, but that's entirely up
> >to the user and no reason what so ever to not implement good
> >password management policies.
> >
> >You're painting the picture with the same fallaciously broad brush
> >every corporate minded shirt on the planet does, and advocating the
> >exact same lackadaisical security policies they are, as a result.
> >
> >Scheduled password changes guard against brute force attacks and
> >unknown compromises. Only changing them when you believe you might
> >have to assumes you can't be owned without it being obvious. A
> >dangerous state of mind in deed, but it sure is "convenient" from
> >the customer's perspective, eh?
> >
> ><sigh>
> >
> >Marketing and ease of use taking precedence over common sense and
> >proved security measures. Exactly *why* we have as many notable
> >compromises as we do.
>
> All security is a compromise between making things difficult for the
> unwanted and not making it impractical for legitimate users.

Reasonable password management isn't impractical. Requiring a password
change every 6 months isn't unreasonable. It's a marvelous policy, and
no normal person should have any problem relearning a sufficiently
strong password twice a year, or using a suitable method of storage and
retrieval.

You're trying to prop up an argument that flies in the face of every
shred of common sense, and the advice of every knowledgeable security
professional that ever lived. I seriously doubt you're going to get
very far, but if you must you must I suppose.

> For instance if a bank insisted on a twelve digit password like
> rrgf84kJ32HJ&

I take it that by choosing your example as you did you're waffling on
your original statement that "changing regularly only leads to
confusion and the use of weaker passwords", and arguing that only very
hard to remember passwords would be problematic now? I already said as
much Jim. It's still no reason for not implementing good security
policies.

Or are you going to now try and argue that something along the lines of
'29globaldog*bananahouseJill' would be crackable in 6 months and too
complicated for someone to relearn twice a year? Even if it meant
protecting their investments and finances? Or maybe something like
'GarvolapopImuswak'. Either example is more than secure enough, and
certainly easy for someone to remember for 6 months after a brief study
period. Very brief.

By the way, your example was 13 characters, not 12. A minor niggle that
has more impact on security than memorability, but an impact on both
none the less.

> I would have trouble using their system and

I would not. I'd work out some sort of mnemonic, or keep hard to
remember passwords secured away in a password manager or encrypted file
that required an overly secure passphrase to access. Just as I do now.

In the OP's scenario where we're assuming he generates his own
passwords I'd use the above and/or devise random pronounceable strings
or use Diceware.

> changing it regularly would be a severe problem.

I'm sorry to hear that. You might find these links of some assistance:

http://www.diceware.com/

http://www.pitt.edu/~wek3/rndpwd.html

http://www.schneier.com/passsafe.html

http://www.umm.edu/altmed/ConsHerbs/GinkgoBilobach.html
-----BEGIN PGP SIGNATURE-----

iD8DBQFEbJo5no5iexlRIBERA2OMAJ0Y+W2ePGNb4F/GeQC+kc5TJJkODACgrBcx
8ScqBwlMOT5EjcBfkkhOWno=
=eZMm
-----END PGP SIGNATURE-----

Sheik Yurbhuti <> writes:
> Reasonable password management isn't impractical. Requiring a password
> change every 6 months isn't unreasonable. It's a marvelous policy, and
> no normal person should have any problem relearning a sufficiently
> strong password twice a year, or using a suitable method of storage and
> retrieval.
>
> You're trying to prop up an argument that flies in the face of every
> shred of common sense, and the advice of every knowledgeable security
> professional that ever lived. I seriously doubt you're going to get
> very far, but if you must you must I suppose.

the problem with passwords now start to crop up when you have a 100 or
more different passwords. post in similar thread
http://www.garlic.com/~lynn/2006j.html#28 Password Complexity

shared-secrets based authentication paradigm require unique password
for every unique security domain ... as countermeasure to cross-domain
replay/impersonation attacks. lots of past posts about shared-secret
based authentication
http://www.garlic.com/~lynn/subpubkey.html#secret

references to an old april 1st, password corporate directive from
1984
http://www.garlic.com/~lynn/2001d.html#52 A beautiful morning in ARM


--
Anne & Lynn Wheeler | http://www.garlic.com/~lynn/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Anne & Lynn Wheeler <> wrote:

> Sheik Yurbhuti <> writes:
> > Reasonable password management isn't impractical. Requiring a
> > password change every 6 months isn't unreasonable. It's a marvelous
> > policy, and no normal person should have any problem relearning a
> > sufficiently strong password twice a year, or using a suitable
> > method of storage and retrieval.
> >
> > You're trying to prop up an argument that flies in the face of every
> > shred of common sense, and the advice of every knowledgeable
> > security professional that ever lived. I seriously doubt you're
> > going to get very far, but if you must you must I suppose.
>
> the problem with passwords now start to crop up when you have a 100 or
> more different passwords. post in similar thread
> http://www.garlic.com/~lynn/2006j.html#28 Password Complexity

This is why utilities like password managers exist, where strong
encryption and (hopefully) equally strong passwords protect the rest.
Yes, it's a compromise, but it's preferable to weaker passwords that
never change. Much more preferable.

It's also probably irrelevant in the scenario at hand, as the OP didn't
appear to have 100's of passwords to worry about. Only three were in
question.

> shared-secrets based authentication paradigm require unique password

Obvious. Also irrelevant. Using unique passwords, storing them
properly if necessary, and routine or necessary changes are *all* part
of secure access management. One piece of that puzzle does not make the
others any more or less significant.

> for every unique security domain ... as countermeasure to cross-domain
> replay/impersonation attacks. lots of past posts about shared-secret
> based authentication
> http://www.garlic.com/~lynn/subpubkey.html#secret
>
> references to an old april 1st, password corporate directive from
> 1984
> http://www.garlic.com/~lynn/2001d.html#52 A beautiful morning in ARM

Is a parody suppose to be hard evidence now, or were you trying to
inject humor?

>
>
-----BEGIN PGP SIGNATURE-----

iD8DBQFEbLQeno5iexlRIBERAyxEAJ4jShzbaRrI0uQP+gEtUr v9KBEI+gCeOL6a
WIeJcr0TKRnA3gVrTRoCda0=
=GzZi
-----END PGP SIGNATURE-----

On 18 May 2006 18:22:32 -0000, Sheik Yurbhuti <>
wrote:

>> the problem with passwords now start to crop up when you have a 100 or
>> more different passwords. post in similar thread
>> http://www.garlic.com/~lynn/2006j.html#28 Password Complexity
>
>This is why utilities like password managers exist, where strong
>encryption and (hopefully) equally strong passwords protect the rest.

Bullshit. If I have to use a 'password manager' to access my bank
account it means that it has to be installed on every machine I use.

>Yes, it's a compromise, but it's preferable to weaker passwords that
>never change. Much more preferable.

In practice none of the systems I use rely on a simple password, and
include a good mixture of shared secrets.

>It's also probably irrelevant in the scenario at hand, as the OP didn't
>appear to have 100's of passwords to worry about. Only three were in
>question.

I certainly have a hundred or so passwords to remember and
rrgf84kJ32HJ& is not one of them.
--
Jim Watt
http://www.gibnet.com