[Cryptography] Passwords: Perfect, except for being Flawed
Kent Borg
kentborg at borg.org
Wed Feb 18 12:21:05 EST 2015
A side note on spyware: HSBC Canada has a clever way to do passwords.
First, they don't let the customer choose the password, they assign it.
The password is short and at each login they only ask for a few specific
characters of the password. They watch login patterns and can change
which characters they ask for. They know whether a given character has
been revealed and in what circumstances. I think they correlate what
transactions are made with login details, too.
They also have a security question--that is effectively a user chosen
password.
They don't pair a customer-chosen username with the password and
security question, rather they use an account number. So neither of
those two components is well known to attackers.
I had my account locked once because the X-windows middle-button paste I
did for my account number looked like some MS Windows virus. The day I
made a different payment from my usual pattern they shut things down.
When I called they told me I had to have a specific Windows virus
removed form my (Linux!) computer before they would turn it back on.
Okay, but their credit, when I explained, they escalated me to someone
smarter and he understood. I type the account number manually now.
Yes, a highly engineered solution--but human behavior is part of that
engineering. It is password based, and, from what I can see out here, it
is the most secure online account I have of any sort.
The human is part of the security system.
-kb
More information about the cryptography
mailing list