Wednesday, October 11, 2006


One of the things about IT security that really irks me is passwords. As a user I need a password for system X and a different password for system Y. Not only that, but system X requires a password at least 6 characters long with at least one alpha character and one numeric character. System Y requires a password 8 characters long, with two numeric characters and I can never reuse the same password. To add insult to injury, System Y's password expires every 45 days and system X's password expires every 365 days. I just changed my password for system Y to something I know I'll never remember.

Now, I know what you are thinking: LDAP server. Centralize the authentication and authorization and you only need to supply a password once. That's all fine and dandy when I have control over the security, but not when system X is where I do my online banking and system Y is my brokerage account.

Things are changing in the financial world, and not for the better, IMHO. At some sites, I have to answer a personal question every time I login. Others, I have to choose a picture before I even get to enter my password. Others still, I need an RSA key along with another password. I think there should be a standard of authentication practices that your personal trading partners should have to adhere to. I've got so many passwords in my head, I can barely remember how to login to work. In the time I wrote this post, I've forgot system Y's password.


Joel Garry said...

This is totally impossible until we get strong non-repudiation at the hardware level, and that ain't coming soon.

Standardization at any other level means compromise, and that means compromised. You wind up with people incorrectly thinking the system is secure. Beyond that, there is the ease-of-use tug-of-war with security. Most people and administrators want to be able to go into SSO security and see a plain text password. Sheesh. And that's not even getting into the general support issue.

Maybe general availability of biometric identification will help, although certainly not at its current level of sophistication. Without non-reputiability, it may never get there either.

I'm using non-repudiation here in the sense of being able to trust identification through the entire hardware chain. As it is, there's no way to know that something in the middle hasn't been compromised, even with encryption. At the user end, there's still no way to be sure someone hasn't popped out a victim's eyeball, or read the post-it on their screen, or electified their naughty bits.

Personally, I simply don't do online banking or trading, and only buy stuff with very few credit cards. And even with that, I've had to deal with some scary screwups.

And I still have to remember too many password algorithms.

word: ymjed. At least Y'm not jethro.

Anonymous said...

KeePass-1.05 can help.

Steve Prior said...

That's what post-it notes are for, but make sure you stick them under your keyboard so nobody will ever find them.

Jeff Hunter said...

Thanks Steve, now I have to come up with a new hiding place.

Noons said...

...or fold and drop the post-it note inside the tea bag box next to the monitor? ;-)

Whatever happened to public-private encryption authentication keys? They were, to the best of my knowledge, next to impossible to break.

The problem of course is that no one at a call centre in Bangalore would be able to understand or help someone setup/fix one.

As such, we're stuck with inferior security schemes for the convenience of those companies who chose to offshore...