There seems to be an arms race of sorts between myself and a good number of "security experts" at various sites i frequent. It all revolves around my account information.
You see, i trust that the info on my computer, sitting behind several layers of encryption, is actually far more secure than their site. Why do i assume that? Because i know exactly what sort of security i have in place where as i have less knowledge about theirs. i'm willing to believe that the opposite is also quite true and that the administrators of those remote sites believe their site to be far more secure than mine.
The administrators, however, have deemed it necessary to require me to enter my password in, by hand, every time i access their site. Now, since each of these sites required various levels of "added security" involving me typing in a password with both upper and lower case letters, a number, one or more non-alphanumeric characters, plus one or more characters from the original transcript of the Chronicles of Gilgamesh (mac users, please use Ancient Sanskrit), i'm far more likely to record said password somewhere other than my memory. This is where things like Firefox's auto-complete function is a wondrous blessing since it ensures that those passwords are encrypted and stored on my equally wonderfully encrypted truecrypt drive where any accidentally acquired keylogger is far less likely to get access to them.
The remote site administrators, however, seem to feel otherwise. At first, they simply turned autocomplete off for passwords. A quick greasemonkey script fixed that. Then, they escalated and added calls to the form and page to turn off autocomplete as well. Again, minor issue, and a quick fix to the script was all i needed. That's when they suddenly went hardball. In the past few months i've seen the following:
1) A script that waits half a second after the page finishes loading, then clears the user name and password fields.
2) A drop down username selection box that obscures all but the last three letters of the previous login entry which kinda screws up the auto-fill since it's missing half of the index it uses to figure out what password to fill in.
3) A script that actually removes the password box entirely, replacing it with a Div that accepts keystrokes and inserts "*".
4) After the page loaded, a rabid monkey was teleported directly to my keyboard and the only way to abate his foaming, disease filled hurled poo was to use a command word based on my account name and date of joining.
Ok, not so much that last one, but the other three definitely.
i'm honestly not sure i really understand this. i mean, yeah, i can imagine that some idiot logs in to a computer set up on some random Anacostia street corner and doesn't think to flush his cookies or clear his browser's cache, but frankly, if THAT was the case, i'd hazard that there are about 80 other issues that this theater wouldn't actually address (like the fact that the computer is made of cardboard and consists of a guy making "beep-boop" noises when you press the "keys").
As it is now, i either figure out ways to work around this, wonder why the hell i'm working around this, or open up access to my stored, encrypted password file so that i can remember whether or not i had to add ༼ or ༽ to the password.
Personally, i'd love to find out where these guys live, and go change the locks on their houses. i'd even leave them a nice little map indicating the lat/long of the location of their new keys, and maybe warn them about the bears in the area.
You know, for added security.
I fucking goat.
Do you have any example sites? I would love to see some of these tricks in the wild.
JR, I noticed the reader roll pushes your left column out if the user isn't logged in. Fix it with this:
table#MBL_COMM td.mbl_join a { display: none; }
Blackboard does a variation of #1. When you click submit, it clears the password field, thus giving your browser no chance save it. So, disable JS, log in and save your password, enable JS, and it works from there.
HSBC bank login has one page with only username, on 2nd page there's password and security code with virtual keyboard. it doesn't let you use real keyboard toy type in or Ctrl-V to paste the security code, but fortunately they can't disable Edit > Paste menu :)
A recent trend in some pay sites is to assign a user name and password consisting of random characters - which is totally worthless for the reasons you mention.
Personally, I think the best solution is to use email as a username - since "email me my username and/or password" is usually an option, then preventing me from using an email address as a username doesn't accomplish anything.
It would also be nice, given the prevalence of broadband, to see IP factored into identification. Don't make it absolute (in case I'm on the road or change IP's), but for example if I enter my username and am from a given IP, let me in.
Finally, a shout out to American Express, which limits passwords for their credit card site to eight characters. WTF?
I bet it is to prevent spam bots. You are just caught in the cross fire.
If you don't like it, don't use the site and find an alternative. I don't see how your comment of changing their locks fits in, unless by having to remember a password you're denied access to your house?
Heh, so I should avoid using sites that have and control my money (since it seems that those are pretty universally the ones that do that sort of thing). No, that's not going to happen. Likewise, while annoying, the site isn't the only reason I do business with those companies, so it's not I'm going to be selecting a "better" service if I switch, even if I can switch because some of the sites were selected by others (e.g. the site that lets me view my paycheck).
The lock comment is because these sites are making it unnecessarily difficult for their customers. To further a joke example, those folks who've had their lock changed also have options to enter their house without using keys, however one can say that by exercising those options, their home has become less secure in the process (and they'll have to buy a new door or window in the morning).
accidentally acquired keylogger is far less likely to get access to them
While I understand the sentiment you don't understand how keyloggers operate. Keyloggers operate by capturing text sent to the web browser while you are typing them in (or pasting them or whatever). Your wonderful encrypted volume is worthless here. In addition - you may understand your multi-layers of encryption -on your machine- but that is also not relevant here. The data you want to access isn't in your control. But is in control of another company that has to comply with (sometimes contradictory) laws and regulations to protect that data. The arms race isn't with you - its with those that are trying to steal your data. As a "security expert" you deride - I only go with banks that allow me to use two-factor authentication with a hardware FOB.
One last comment - the house analogy is a poor one. The risk is different. I cannot steal the items in your home from 3000 miles away (unless I hire someone - not a scalable option) but I can launch sophisticated attacks against your computer or the host that your data is on from a safe country with no ramifications. So good luck with your cute little scripts - you are not making yourself any safer.
Hi Tim, first, thanks for your comments. I know that security is never fun, frequently directed by those that don't understand systems, and is full of conflict, but ultimately, there's a trade off between security and access. People will often sacrifice security if the barriers are raised too high. Thus the many post-its bearing passwords you see on cash registers and other semi-public locations.
As I said very early on, neither you nor my bank understand the level of security on my machine. (I used the somewhat flippant remark about keyloggers because that was about as likely to happen to my system as my getting access to the locks of your house.) I fully understand that a bank needs to address the lowest denominator regardless of how common it happens to be. I also FULLY understand the type and scope of attacks that can happen to any institution.
The problem is, however, that instead of using secure mechanisms for access (or even consistent ones), each institution has implemented their own which leads to general frustration and folks doing less secure fundamental things.
I would MUCH rather see a system deployed that worked with modern browsers to alleviate some of these issues rather than simply assume that customers only live to work with Your Site. Perhaps a simple automated token can be provided to customers that addresses this. Perhaps a set of behavioral signatures can be used to identify legitimate vs. illegitimate traffic.
Raising the barriers is a cheap solution that will all have us sending checks and standing in teller lines soon.
I have never understood the weird password rules, especially for sites which have lockout after N missed attempts.
With even a weak 5 letter-only password the chances of you guessing mine in 3 tries is 3 in 11881376. Unless those are nuclear missile codes I think that is probably sufficient.
Looks like the work of CISSPs. I once asked a CISSP for his public key so I could encrypt some data to send to him. He more or less drooled into a cup.
I swear all CISSP certifies people to do is engage in more elaborate forms of security through obscurity. They seem to know, for example, that public/private keys has something to do with 'security', but little understanding of what it is. sigh…
Save This Page
A fucking men!