Jan

21

Desjardins “Enhances” Security: Don’t Use Long Passwords

Filed Under Banking 

I love my bank credit union, I really do. Today they launched a new security initiative to improve security and combat phishing, by requiring all users to create a personal message and select an image from their library.

You enter your username and password in two steps now, and if you don’t see your message and image on the password screen, you know you’re not on the right site, so you don’t enter it.

So far so good. Except as part of their “enhancements,” passwords longer than six characters long stopped working. Needless to say, their customer service lines have been busy all morning, and if you do manage to get through, hold times exceed half an hour.

Nice way to reward the customers of yours who actually did what the security-conscious were supposed to from the start and had longer (more secure) passwords, isn’t it?

Comments

One Response to “Desjardins “Enhances” Security: Don’t Use Long Passwords”

  1. Callum on January 22nd, 2008 7:28 am

    Hahaha. Gotta love it when banks (err, credit unions) get it wrong.

    The whole “personalised login page” is a bit of a security myth in my view. The smart attacker will simply proxy the live login page, so you’ll see whatever you’d normally see. Then once you’ve logged in, they kill your session and take it over. It’s not particularly hard to do, and it bypasses almost all forms of security.

    Much better, in my opinion, is challenge / response type questions. So tell us one of 5 pieces of information we hold on you. Or please enter the 3rd, 6th and 1st characters of your password.

    My bank uses both of these approaches. So short of proxying my live session, it would be nearly impossible to steal my login info. You’d need to watch me log in at least 5 times, and probably more like 10.

Leave a Reply