[Cryptography] Passwords: Perfect, except for being Flawed

[Kent Borg]

A side note on spyware: HSBC Canada has a clever way to do passwords.

First, they don't let the customer choose the password, they assign it. 
The password is short and at each login they only ask for a few specific 
characters of the password. They watch login patterns and can change 
which characters they ask for. They know whether a given character has 
been revealed and in what circumstances. I think they correlate what 
transactions are made with login details, too.

They also have a security question--that is effectively a user chosen 
password.

They don't pair a customer-chosen username with the password and 
security question, rather they use an account number. So neither of 
those two components is well known to attackers.

I had my account locked once because the X-windows middle-button paste I 
did for my account number looked like some MS Windows virus. The day I 
made a different payment from my usual pattern they shut things down. 
When I called they told me I had to have a specific Windows virus 
removed form my (Linux!) computer before they would turn it back on. 
Okay, but their credit, when I explained, they escalated me to someone 
smarter and he understood. I type the account number manually now.

Yes, a highly engineered solution--but human behavior is part of that 
engineering. It is password based, and, from what I can see out here, it 
is the most secure online account I have of any sort.

The human is part of the security system.

-kb