I'm not saying that "banks are secure" I'm stating that the contentions being put forward by others are not supported by evidence we have before us. Namely "my bank has password requirements less than what I have at work - they allow only 8 characters and don't allow Unicode. Therefore they are insecure and the people working on them are idiots". The latter conclusion is not supported by the prior statement - for reasons I am giving. But I am not stating that banks are secure.
Also, why do you think "admin" accounts only have 8 character passwords? Or that these are even exposed to external access? Cheers Ken From: Jonathan Link [mailto:jonathan.l...@gmail.com] Sent: Wednesday, 15 August 2012 11:06 PM To: NT System Admin Issues Subject: Re: For your reading pleasure Passwords are a part of security for everyone. It is likely that administrative access to that customer system is also limited to an 8 character password. So as a hacker, I don't go after an individual customer account, I go after the admin account. Woo hoo, I can now reset passwords on all the accounts for some period of time. In any event, the argument you present against forcing complex passwords also stands true for frequent password changes which is a technique banks also employ. Just because a bank has a measured and layered approach to security in other areas and they ignore the customer part of it (including education) doesn't mean that they are "secure." On Wed, Aug 15, 2012 at 8:46 AM, Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> wrote: Personal customer passwords for online banking are only a very small part of the security systems a bank has. Just because passwords aren't as complex as you would like, it doesn't follow that banks are not secure. Additionally, forcing overly complex passwords can also, sometimes, decrease security because people forget them more often, or write them down insecurely, or similar stuff. If an online banking password is 8 characters, and there's an account lockout after three failed attempts, does it mean that the system is "insecure"? Cheers Ken From: Jonathan Link [mailto:jonathan.l...@gmail.com<mailto:jonathan.l...@gmail.com>] Sent: Wednesday, 15 August 2012 9:55 PM To: NT System Admin Issues Subject: Re: For your reading pleasure Just to help drive the point home, I have been asked by Directors in our organization why we have such long passwords when their banks don't require it or even prevent it. There is a perception in the laity, for lack of a better word, that because banks deal with money that they are "secure." On Wed, Aug 15, 2012 at 12:54 AM, Kurt Buff <kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>> wrote: On Tue, Aug 14, 2012 at 7:36 PM, Ken Schaefer <k...@adopenstatic.com<mailto:k...@adopenstatic.com>> wrote: > -----Original Message----- > From: Kurt Buff [mailto:kurt.b...@gmail.com<mailto:kurt.b...@gmail.com>] > Subject: Re: For your reading pleasure > >>> AND most bank passwords are case-insensitive, to make things worse. >> >>And won't let you put in spaces or other punctuation, either. >> >>I detect a complete absence of cognition on the part of the designers of >>these systems. >> >>Kurt > > Really? Yes. > We're the only ones here that read web pages about security best practises, > or attend events or read books? No, but some of those banks have certainly missed the boat - the ones that don't allow long passwords or non-alphnumeric characters in their web passwords for sure, and probably even a few who have covered those bases. >The IT guys at banks never went to Uni, are all ignoramuses and banks have >never hired a security officer or architect ever? Going to Uni != intelligence, nor does having the title of security officer or architect. > By all means, keep up pressure on organisations to lift their game. But I > think it's grossly unfair > to impugn people personally for this issue, and particularly for the offence > you have listed. I don't. If we don't call them on their $#!+, they won't change. Whether it's the IT staff or the executives, someone in the org is mal/mis/non-feasant, and I don't care at which level it happened. > From what I can gather most people on this list work in small environments, > and mostly for non-commercial organisations - the types of places were IT is > relatively simple and there aren't a lot of constraints, interoperability or > legacy systems to work with. And the budgets are far smaller. Larger institutions should plan out their web presence before launch, and it's painfully obvious that some haven't. > In any case, having worked in three different countries to-date, my personal > experience of banking is that: > a) some banks implement additional password systems, to complement whatever > their legacy system is. > This could take the form of an additional logon after your main logon. This > would allow a bank to implement > a new, up-to-date, user authentication system to sit next to their legacy one And some don't. > b) some banks implement 2FA: every bank in Singapore (for example) issues > tokens to customers and also > provides the option for SMS based one-time PINs And some don't. > I strongly believe that IT in banks (at least in the developed world) are > just as, or far more aware, of threats than we are. Sometimes yes, but on the evidence, sometimes no. It's why I left my most recent credit union for a better one, with stronger login security for their web presence. I didn't want their problem to be my problem. I also know that some banks are no better. Kurt ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
