Password/account security at its best
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Password/account security at its best
For obvious reasons, no names etc, but I hope someone 'there' reads this!
Tried to log on to a 'points' type card account (points from another company) to find 'username' requirements have changed. To cut a long story short, after numerous calls to both agencies, new 'name' established. Password rejected. Aha! 'Forgot password' will crack it. Wants 'mother's maiden name' (only question) - rejected - strange she'd had that quite a long time. Ah well! Back on the phone. "Mr B - the problem is we don't know your mother's maiden name" - silence from me for a moment - you need to put in 'Mother' with a capital 'M' - further gasp of surprise from me, but IT WORKS! Back to login.
To add insult to an already puzzled and bruised brain, I am now 'locked out', but that should clear in 2 days. A shining example of intelligent security measures I'm sure you all agree.
Tried to log on to a 'points' type card account (points from another company) to find 'username' requirements have changed. To cut a long story short, after numerous calls to both agencies, new 'name' established. Password rejected. Aha! 'Forgot password' will crack it. Wants 'mother's maiden name' (only question) - rejected - strange she'd had that quite a long time. Ah well! Back on the phone. "Mr B - the problem is we don't know your mother's maiden name" - silence from me for a moment - you need to put in 'Mother' with a capital 'M' - further gasp of surprise from me, but IT WORKS! Back to login.
To add insult to an already puzzled and bruised brain, I am now 'locked out', but that should clear in 2 days. A shining example of intelligent security measures I'm sure you all agree.
Join Date: Jul 2001
Location: U.K.
Posts: 805
Likes: 0
Received 0 Likes
on
0 Posts
I am totally fed up with the varying requirements for passwords from just about every IT department of every new organisation who "require" you to use their internet service to continue doing business. In days of yore, the requirement was usually a password of 6 characters. I therefore developed the policy, as I only browse the internet on my home machines to use two passwords: one for the bank and one for everything else. My bank passwords were never stored, but my other password could be depending on the problems that would be caused if anyone was to "crack it" and I doubt if anyone were to crack my PPRuNe password, I would be financially embarassed. Since those days, the IT executives have been reading their computer manuals and requiring, in addition to 6 or 8 characters, a capital, a numeric and another symbol - or maybe not. As a result, whether I like it or not I have to "remember" a large number of different passwords so that I can monitor my relations with such organisations as British Gas, Eon, Scottish Power and many other organisations of similar ilk. I got so fed up with the "increased security" demanded by British Gas not so long ago on their paperless billing system by requiring a password revision that I stopped paperless billing and they now have to, once again, mail me every three months!
With other similar organisations where I cannot avoid their "fancy passwords" I write them on "post-its" attached to the edge of my monitor! Highly security concious aren't I? But then if anyone is interested in the current balance of my electricity account - what good will it do them?
Having to remember user names is a similar pain. If I use my real name to register this, somebody will have beaten me to it and although a small change or addition will facilitate registration, it is invariably a different change for each organisation! Most organisations seem to have realised this by allowing one's e-mail address to be used instead, but there are still a few who bar the use of the "@" character in user names!
When my bank first gave their customers internet access for banking purposes they continued their internal practice by requiring passwords to be changed every month. On changing them, the old passwords used were recorded so that they couldn't be used again. Thus, every month, an individual's internet banking was brought to a halt while imagination was used to invent a fresh, memorable password. Eventually, inspiration became exhausted so the post-it system had to be used for banking access!
At last, the banks became so fed up with repeated telephone calls because their retail customers had forgotten their latest passwords that they dropped the system and have now found other techniques to maintain a good level of security without requiring their retail customers to use their powers of memory to excess!
Today the whole password system is a mess and for one reason or another significantly reducing the security that it should be able to provide. Unfortunately, the only way forward that I can see is another government quango determining the security required by any website and determining the level of security that the passwords it requires should be able to offer. Either this or let the customer determine the level of security required by permitting, say, a minimum of six characters so that anything can be used including capitals, numerics and symbols but not REQUIRING their use. If security is then breached, then it is the customer's fault.
P.P.
With other similar organisations where I cannot avoid their "fancy passwords" I write them on "post-its" attached to the edge of my monitor! Highly security concious aren't I? But then if anyone is interested in the current balance of my electricity account - what good will it do them?
Having to remember user names is a similar pain. If I use my real name to register this, somebody will have beaten me to it and although a small change or addition will facilitate registration, it is invariably a different change for each organisation! Most organisations seem to have realised this by allowing one's e-mail address to be used instead, but there are still a few who bar the use of the "@" character in user names!
When my bank first gave their customers internet access for banking purposes they continued their internal practice by requiring passwords to be changed every month. On changing them, the old passwords used were recorded so that they couldn't be used again. Thus, every month, an individual's internet banking was brought to a halt while imagination was used to invent a fresh, memorable password. Eventually, inspiration became exhausted so the post-it system had to be used for banking access!
At last, the banks became so fed up with repeated telephone calls because their retail customers had forgotten their latest passwords that they dropped the system and have now found other techniques to maintain a good level of security without requiring their retail customers to use their powers of memory to excess!
Today the whole password system is a mess and for one reason or another significantly reducing the security that it should be able to provide. Unfortunately, the only way forward that I can see is another government quango determining the security required by any website and determining the level of security that the passwords it requires should be able to offer. Either this or let the customer determine the level of security required by permitting, say, a minimum of six characters so that anything can be used including capitals, numerics and symbols but not REQUIRING their use. If security is then breached, then it is the customer's fault.
P.P.
Official PPRuNe Chaplain
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
I have a (very large) spreadsheet with all my passwords. Like yours, the great bulk of them are the same, and for the same reasons. Fortunately, there aren't many people around with the same name as me, do for close to 50% I can have the same ID as well.
But it is a pain having to look up passwords (and Credit card security numbers, and all that stuff). When they insist I must change my password, I just add a number to the end or update the existing. Mostly, their software doesn't twig that twit0001 has become twit0002: some complain "new password is too similar to old password". Those, if they are selling stuff, soon lose my business.
But if you want to hack my electriity bill (and pay it, even) feel free!
But it is a pain having to look up passwords (and Credit card security numbers, and all that stuff). When they insist I must change my password, I just add a number to the end or update the existing. Mostly, their software doesn't twig that twit0001 has become twit0002: some complain "new password is too similar to old password". Those, if they are selling stuff, soon lose my business.
But if you want to hack my electriity bill (and pay it, even) feel free!
Join Date: Jan 2008
Location: Bracknell, Berks, UK
Age: 52
Posts: 1,133
Likes: 0
Received 0 Likes
on
0 Posts
The thing that annoys me are those systems that still expect you to create and/or know an arbitrary username. What's wrong with the email address you're about to send me the details to? 
KeePass is an EXCELLENT tool for storing passwords. There are no known cracks of its encryption software. Open source so it is always improved upon and you can set parameters for its use that will make it the closest thing to impregnable that you can imagine. What is clever is that is does not store your key.
Takes a bit to get used to, but well worth it.
Takes a bit to get used to, but well worth it.
Join Date: Aug 2006
Location: sweden
Age: 56
Posts: 103
Likes: 0
Received 0 Likes
on
0 Posts
I wonder how that back door into the system can be allowed?
My mother's maiden name could be googled by anyone who knows my real name.
Of course a bogus maiden name is used for the back door to my hotmale account, which makes it useless since I can't remember what I put there
My mother's maiden name could be googled by anyone who knows my real name.
Of course a bogus maiden name is used for the back door to my hotmale account, which makes it useless since I can't remember what I put there
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
I wonder how that back door into the system can be allowed?
