Jul

21

Memo #10 – How not to design for security

Filed Under Annoyances 

Just a quick memo on how not to design for a secure computing environment. I got the following message when logging into my commercial banking website.

Password Guidelines
Passwords must:

  • Be six to twelve characters
  • Contain at least one number
  • Contain at least one letter
  • Not be identical to your first name, last name, company name, company ID, user ID, or your previous six passwords
  • Not use the names of the months (example: march123)
  • Not repeat the same character three or more consecutive times (example: 2kaaa3, 0000abe49)

They also make you change your password every 60 days. Do you know what this results in? Me writing down my password on a piece of paper next to my desk. Seriously. That’s how stupid it is. Oh, did I mention that if you fail your login three times they will lock-out your account?

Needless to say, this is not how you should be developing secure web applications.

Comments

4 Responses to “Memo #10 – How not to design for security”

  1. Richard Crowley on July 21st, 2008 3:32 pm

    Choices:

    1. Stop banking with them.

    2. Put that piece of paper in your wallet.

  2. davidu on July 21st, 2008 3:36 pm

    Crowley — actually, I just did:

    gpg –encrypt -r david@opendns.com > banking.txt

    and put in my password. :-)

  3. Michael Fogel on July 21st, 2008 10:03 pm

    Do the people who run your bank use your bank? or the online banking portion of it. My guess would be nooooo….

  4. rhb on July 24th, 2008 1:46 am

    All banks are idiots. The online brokers are worse because their avg deposit is much larger.

    It’s called a FV!KING secureid keyfob/dongle/token and I would gladly pay for it, although I shouldn’t have to.

    What is wrong with these people?

Leave a Reply