WebApp Sec mailing list archives
RE: Example of the worst passwd recovery interface
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Sat, 6 Aug 2005 01:41:13 -0500
Javier Fernandez-Sanguino writes...
Forcing users to retrieve passwords offline (i.e. going to the bank branch as somebody mention) when they get blocked is actually a security feature. It not only helps prevent against deploying insecure password retrieval mechanisms, it makes online attacks much more difficult (somebody has to physically go to the branch, get recorded on a camera while he is in, etc. and an attack cannot be fully automated)
Unfortunately, it will probably also result in such banks loosing customers to the ones that don't do this. In today's hurry-up, instant gratification world, people don't have the patience for this. Sure, it's partly because of security ignorance, but I don't think that is the entire problem. In this particular case at least, I think that most people would choose convenience over security. I probably would as well, because I don't forget my passwords; I manage them in PasswordSafe or write them down as innocent looking phrases and put them in my wallet. (E.g., the password "s@ts4b&m." becomes the phrase "stop at the store for bread and milk.") Someone finding my wallet (well, except one of you reading this ;-) would probably just pass that off as a self-reminder for an absent-minded husband. If it's not associated with a bank account, then your password ought to be pretty safe, even if you loose your wallet. And once you've memorized it, you destroy it. Maybe that is the problem with other people as well...they just _think_ they would never forget their password. (In most cases, probably true; they generally can remember your child's or pet's name or their birthday. Sigh.) But the bottom line is, if such a bank starts loosing enough customers when they start trying to improve on-line security, it will eventually result in the unintended consequence of people flocking to a bank with a less secure solution. That's why I think that there probably needs to be regulatory statutes around things like password retrieval processes at financial institutes doing online banking. That way, if all banks MUST comply, it at prevents the blinking-twelve crowd from flocking to the banks that are not as security conscientious. Instead the people will just get even more ticked off at congress for passing such apparently moronic legislation. So it's a win-win situation then. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. Kevin.Wall () qwest com Phone: 614.215.4788 "The reason you have people breaking into your software all over the place is because your software sucks..." -- Former whitehouse cybersecurity advisor, Richard Clarke, at eWeek Security Summit
Current thread:
- Example of the worst passwd recovery interface Saqib Ali (Aug 03)
- RE: Example of the worst passwd recovery interface Marc Heuse (Aug 04)
- RE: Example of the worst passwd recovery interface Irene Abezgauz (Aug 04)
- Re: Example of the worst passwd recovery interface Saqib Ali (Aug 11)
- Re: Example of the worst passwd recovery interface Saqib Ali (Aug 04)
- RE: Example of the worst passwd recovery interface Irene Abezgauz (Aug 04)
- Re: Example of the worst passwd recovery interface Christopher Canova (Aug 04)
- Re: Example of the worst passwd recovery interface Yousef Syed (Aug 04)
- Re: Example of the worst passwd recovery interface Javier Fernandez-Sanguino (Aug 05)
- <Possible follow-ups>
- RE: Example of the worst passwd recovery interface Wall, Kevin (Aug 06)
- RE: Example of the worst passwd recovery interface Marc Heuse (Aug 04)