Sunday, December 30, 2007

Sidewalk: Password Pains

The downside of being an on-line users is that at any point in time I have to remember atleast 5-7 different usernames and passwords. Be it my e-mail, bank, on-line trading account, insurance policy account, every service provider of these on-line services implements a different information security and user management policy.

Yesterday, while I was subjected to change my internet banking password, I stumbled upon a shocking gap in the password policy of my bank, which is one of the best private banks in India. The password policy of this bank forces me to change the password at regular intervals and enforces that my current password is different from my last 3 passwords. However, to my surprise, I could change the password 3 times successively and could return to my original password within a matter of few minutes.

Are such stringent password policies really secure and safe for customers? I do not think they achieve anything other than complicating the lives of customers and users of on-line services. Having to remember 5-7 different usernames and passwords, I expose myself to risk of identity theft by recording them on an easily accessible medium for easy reference.

Why is that the brick & mortar world does not force me to change my signature every now and then? What do you think is the right approach?

2 comments:

  1. If the password policy (not allowing to use last few passwords, using numeric and uppercase letter etc) is implemented correctly is definitely more secure. But even major websites (e.g. ebay.com) fail to implement (and/or test after implementing) them correctly. Todate ebay username and passwords are not case sensitive.

    If a person writting user credentials on media (soft/hard) and then complain about identity theft then he/she is to be blamed first. One is not expected to write bank account credentials in a notepad and store it plain text and/or weak wallet type application.

    My two cents.

    ReplyDelete
  2. Anonymous4:21 PM

    This is an opportunity for encrypted password manager software to shine. I use "KisKis - Keep It Secret! Keep It Safe! 0.23" (http://kiskis.sourceforge.net/) and I am very pleased with it.

    Patrick Bacon

    ReplyDelete