Worthless security measures

My bank has the worst security for their online banking. Honest.

For years, the only security feature (if you can call it a feature) was the password: seven letters or less, alpha-numeric. You couldn’t even use punctuation symbols.

I guess there was one other security feature: if you messed up your password three times, it would lock your account. Once locked, an account had to be reset by calling the bank during business hours and talking to a teller…

At some point the bank decided that this security was insufficient. But instead of improving their existing security (i.e. by letting me use a password of sufficient length), they decided to supplement it.

Ultra-high-security lockdown

I still log in by entering my account number and seven-alphanumeric-characters-or-less password. Then I hit the “extended security” page.

It appears to be a standard-issue “ask a predetermined question” security page. These are great because they don’t require the user to remember anything else. A question like “what’s your pet’s name” is a great “are you really you” sort of check, without really increasing the chances of users writing down the answers.

Except this isn’t your standard security question page. This one has requirements almost as special as the password…

When my online banking went into high security lockdown mode, I got a notice that I would have to answer some questions. Unfortunately, I never got to choose which questions I answered.

  • Favorite Movie? This is a tough one. My favorite movies change regularly. I guess I’ll just enter something. Shouldn’t be too hard to remember.
  • Favorite Color? Yeah. Colors are good. Blue. Light grey. And green. That’s a good color too. Favorite? I don’t think I have a single favorite.
  • Favorite Sport? Nope. Not applicable.
  • High School Name? Ooh. I know this one. :)
  • Spouse’s Middle Name? What? I’m not married. Ergo, I have no spouse. Ergo, I have no spouse’s middle name. Ergo, I can’t actually answer this question.

Most of these questions don’t even apply to me… But my bank doesn’t give me the option of skipping any of these terribly selected questions. I have to enter something for every single one of them.

Remember how the reason for using security questions is to keep the user from having to remember something extra? Now I have to remember the bogus answers I made up for each of the above mentioned questions. One of which was actually worth asking me. Thanks for the added security.

As a bonus, I get to choose another password to remember. Fortunately, this one can be longer than seven characters. Unfortunately it doesn’t even do the most basic security checking. I can enter “1” as my “secure” password. In fact, nothing in their system keeps me from entering “1” as my answer to every single one of their security questions, and as both of my passwords.

That’s pretty quality security.

How to fix this

If you work for my bank — or anywhere else that has poor online security — here are a couple of suggestions:

  • Give me the option of choosing a user name. That’s a ton harder to guess than my account number.
  • Please, please, please let me choose a secure password. Real security systems don’t limit me to seven characters. Real security systems let me put punctuation symbols in my password. Most even encourage it.
  • Do away with the second password. In fact, replace the first password with it. By requiring users to remember two passwords, you are, in effect, decreasing security. Your users will be far more likely to write their passwords down if you make it too hard on them. If your first password is sufficiently secure, you don’t need the second. Even if you know exactly how long it is, the odds of successfully guessing my password are about 1/1029 (If it’s been a while since you took high school math, that’s something like 1 in 100,000,000,000,000,000,000,000,000,000)… Isn’t that good enough?
  • Implement some basic complexity settings. Require users to enter a password eight characters or longer. Make sure it has at least one letter and one digit. Encourage the use of punctuation characters.
  • Let me choose which security questions to answer. Don’t assume that because you have a spouse with a middle name everyone else does too… Assumptions make for inherent unsecurity.
  • Increase the number of failed password attempts. I’ve used up my allotted three tries on typos before. Even giving me a ten times as many tries will not have a significant mathematical impact. The only real reason to limit attempts is to stop robots, and for those you could prob’ly put the cap at three tries per second and still catch ‘em all.