Personal customer passwords for online banking are only a very small part of the security systems a bank has. Just because passwords aren't as complex as you would like, it doesn't follow that banks are not secure. Additionally, forcing overly complex passwords can also, sometimes, decrease security because people forget them more often, or write them down insecurely, or similar stuff.
If an online banking password is 8 characters, and there's an account lockout after three failed attempts, does it mean that the system is "insecure"? Cheers Ken From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Wednesday, 15 August 2012 9:55 PM To: NT System Admin Issues Subject: Re: For your reading pleasure Just to help drive the point home, I have been asked by Directors in our organization why we have such long passwords when their banks don't require it or even prevent it. There is a perception in the laity, for lack of a better word, that because banks deal with money that they are "secure." On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff <kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>> wrote: On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> wrote: > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>] > Subject: Re: For your reading pleasure > >>> AND most bank passwords are case-insensitive, to make things worse. >> >>And won't let you put in spaces or other punctuation, either. >> >>I detect a complete absence of cognition on the part of the designers of >>these systems. >> >>Kurt > > Really? Yes. > We're the only ones here that read web pages about security best practises, > or attend events or read books? No, but some of those banks have certainly missed the boat - the ones that don't allow long passwords or non-alphnumeric characters in their web passwords for sure, and probably even a few who have covered those bases. >The IT guys at banks never went to Uni, are all ignoramuses and banks have >never hired a security officer or architect ever? Going to Uni != intelligence, nor does having the title of security officer or architect. > By all means, keep up pressure on organisations to lift their game. But I > think it's grossly unfair > to impugn people personally for this issue, and particularly for the offence > you have listed. I don't. If we don't call them on their $#!+, they won't change. Whether it's the IT staff or the executives, someone in the org is mal/mis/non-feasant, and I don't care at which level it happened. > From what I can gather most people on this list work in small environments, > and mostly for non-commercial organisations - the types of places were IT is > relatively simple and there aren't a lot of constraints, interoperability or > legacy systems to work with. And the budgets are far smaller. Larger institutions should plan out their web presence before launch, and it's painfully obvious that some haven't. > In any case, having worked in three different countries to-date, my personal > experience of banking is that: > a) some banks implement additional password systems, to complement whatever > their legacy system is. > This could take the form of an additional logon after your main logon. This > would allow a bank to implement > a new, up-to-date, user authentication system to sit next to their legacy one And some don't. > b) some banks implement 2FA: every bank in Singapore (for example) issues > tokens to customers and also > provides the option for SMS based one-time PINs And some don't. > I strongly believe that IT in banks (at least in the developed world) are > just as, or far more aware, of threats than we are. Sometimes yes, but on the evidence, sometimes no. It's why I left my most recent credit union for a better one, with stronger login security for their web presence. I didn't want their problem to be my problem. I also know that some banks are no better. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
