RE: Example of the worst passwd recovery interface

["Wall, Kevin" <Kevin.Wall () qwest com>]

Javier Fernandez-Sanguino writes...

> Forcing users to retrieve passwords offline (i.e. going to the bank 
> branch as somebody mention) when they get blocked is actually a 
> security feature. It not only helps prevent against deploying insecure 
> password retrieval mechanisms, it makes online attacks much more 
> difficult (somebody has to physically go to the branch, get recorded 
> on a camera while he is in, etc. and an attack cannot be fully automated)

Unfortunately, it will probably also result in such banks loosing
customers to the ones that don't do this.

In today's hurry-up, instant gratification world, people don't have
the patience for this. Sure, it's partly because of security ignorance,
but I don't think that is the entire problem.

In this particular case at least, I think that most people would choose
convenience over security. I probably would as well, because I don't
forget my passwords; I manage them in PasswordSafe or write them down
as innocent looking phrases and put them in my wallet. (E.g.,
the password "s@ts4b&m." becomes the phrase "stop at the store for
bread and milk.") Someone finding my wallet (well, except one of you
reading this ;-) would probably just pass that off as a self-reminder
for an absent-minded husband. If it's not associated with a bank
account, then your password ought to be pretty safe, even if you
loose your wallet. And once you've memorized it, you destroy it.

Maybe that is the problem with other people as well...they just
_think_ they would never forget their password. (In most cases,
probably true; they generally can remember your child's or pet's
name or their birthday. Sigh.)

But the bottom line is, if such a bank starts loosing enough
customers when they start trying to improve on-line security,
it will eventually result in the unintended consequence of people
flocking to a bank with a less secure solution.

That's why I think that there probably needs to be regulatory
statutes around things like password retrieval processes at
financial institutes doing online banking. That way, if all
banks MUST comply, it at prevents the blinking-twelve crowd
from flocking to the banks that are not as security conscientious.

Instead the people will just get even more ticked off at congress
for passing such apparently moronic legislation.  So it's a win-win
situation then. ;-)

-kevin
---
Kevin W. Wall           Qwest Information Technology, Inc.
Kevin.Wall () qwest com Phone: 614.215.4788
"The reason you have people breaking into your software all 
over the place is because your software sucks..."
 -- Former whitehouse cybersecurity advisor, Richard Clarke,
    at eWeek Security Summit