"security" rant

[taxlady]

The other day I signed up with Digg. I thought they had a geek orientation, since it's mostly my geeky friends that are signed up. Not only are their "Terms of Use" clear as mud, the password has to be only letters and numbers. Not only that (& I expect better from a "geek" site), they don't tell you until after they reject the password. Oh, and they won't let me use a spamgourmet address. I am a big fan of disposable addresses. They let me know who has been handing out my email address. No, I had to use a "real" email address.

So, I tried to log on to hotmail. It said that it was the wrong password. So, I had it reset. When I tried to type in a new password, it told me that I couldn't use the same password as I had before. I guess I hadn't forgotten it. So I tried again, using no upper-case letters, and it still said I couldn't use the same password. So, I tried a new one. Guess what? I couldn't log in with that one. It didn't recognize it. Okay, check that I can remember my Yahoo email password. I can, so I give that to Digg. Are they happy now? I will only see email from them when I remember to check my Yahoo mail. That spamgourmet email address forwards to my Gmail account, which I look at all the time.

So, why is it that sites don't like non-alpha-numeric characters in passwords? The banks tell me to use a strong password, but most of the bank sites that I go to won't accept my password. I like to have upper and lower case letters and numbers and punctuation, makes a much stronger password.

• ING wants numbers only!  I have to remember some stupid picture and a phrase (not a phrase I wrote, one I chose from a list). I have to use part of my client card # to log in, instead of a user name, and they won't remind me which part at login.


• Laurentian Bank of Canada is switching from four digit number to, you guessed it, letters & numbers only. I have to choose the picture every time I log in. They gave me the pix to choose from. They gave me an "access number", that I have to type in instead of a user name.


• CIBC allows me to pick a user name, but only allows letters & numbers in the password.


• Citibank allows me to pick a user name, but only allows letters & numbers in the password.


• American Express allows me to pick a user name, but only allows letters & numbers in the password.


• HBC credit cards allows me to pick a user name, but only allows letters & numbersin the password, but there must be at least two digits.


• Canadian Tire MC wants a user name and the last seven digits on the back of the card. It allows a decent password.


• Royal Bank wants my client card number. I can have the computer remember the number and nickname it. Decent passwords allowed.


• National Bank allows a user name and decent password.


• PayPal uses my email address and allows a decent password.

I have a system for making up passwords that I can remember, it varies depending on the site. But, and I have to remember where I have which kind of password I have, at each of these sites. Grrrr.

Don't get me started on security questions. I hate it when I have to choose one from their stupid list. "What was your grandfather's occupation?" Uhm, I have two grandfathers. "What is your mother's maiden name?" Wait a minute, that's not so hard to find on the internet. "What is the name of my elementary school?" Uhm, I went to two; some people went to more than two. Not to mention that sometimes I think of it with "Elementary" as part of the name and sometimes with "Elementary School", and sometimes without either. "What is your father's middle name?" He has two middle names. Lots of Catholics have more than two middle names.

Comments

[taxlady.livejournal.com]

I nearly burst out laughing when I read, "I don't know what planet some of the people making this shit up live on." I think it's the planet where thinking things through and asking people who might know is forbidden.

[taxlady.livejournal.com]

Oh and about pets. When they ask about your current pet. Lots of people have more than one current pet and pets don't live as long as people. So, if I answered about the cat I had in 2006 and I don't need to be reminded about my password until 2008, I may have a different cat. Am I supposed to remember when I answered their stupid question? Great, one more stupid thing to keep track of.

[azrhey.livejournal.com]

For the security question, it doesnt say you have to answer the truth.

I usually pick a random question and the answer is something like "thereare14lettersinthisquestion" Could be anyhing, the number of spaces, the number of consonnats minus the number of spaces, whatever...I keep the same "way" for all the secret questions so THAT is easy to remember.

For passwords, I agree with you, most places suck. I wish there weren't a limit ont eh number of characters in a password, as I have a hard time remembering numbers and punctuation...There is ONE website that I know of that has no limit on the number of characters and my password there looks like thissitehasadotcomaddressbutitshoudlhaveadottvone or something like that...

[taxlady.livejournal.com]

Of course the answers don't have to be true, but you have to be able to remember them. I find that often the field isn't big enough to allow the answer I will remember. Sometimes they want more letters than the answer I will remember.

And yeah, I really dislike upper limits on the number of characters.

[cpirate.livejournal.com]

I just gave up, and started using Password Safe to track my important passwords. Now I just have to remember one strong passphrase, and I don't have to care about whatever stupid rules the website might have, whether I'll remember what password I picked, or what idiotic security questions I answered. And most importantly, it's actually trustworthy; it was originally written by Bruce Schneier, who, if you don't know the name, is massively good at encrypting things.

Just be sure to have really good backups of your password file!

[taxlady.livejournal.com]

Sounds like a good idea. Do you recommend the Java download or the other version? I just downloaded the Java version. I guess I should copy it to my USB thumb drive. I may have some questions for you after I read the documentation that comes with it.

I'm still annoyed that we have to go to the trouble of doing this.

Thanks for the suggestion and the link.

[cpirate.livejournal.com]

It doesn't really much matter which version you pick; they can both open the same files. I personally find Java apps kind of lame, so I'd try the other one; that was what I used to run on Windows. If you're on Linux, there are other native programs that can read the same data files.

[taxlady.livejournal.com]

Yeah, swestrup mentioned that Java takes a lot of space and I would like to put this on a USB key. Do you know if there is a portable version?

[cpirate.livejournal.com]

The native installer has an option to install onto a USB key. Though I lost this reply for so long that I can only imagine you've already solved the problem by now.

[taxlady.livejournal.com]

Which one would I download for the USB key?

[cpirate.livejournal.com]

Just the regular Windows installer, the one you get from the "click here for latest version" link on the page I posted. When you install it, it should give you an option for installing onto a USB key.

[tcaptain.livejournal.com]

It just goes to show that the intent of all this isn't to make things more secure, but to show the ILLUSION of security.

SIGH.

[taxlady.livejournal.com]

Yup, you are absolutely correct.

When I entered my new password on the Laurentian Bank site, it told me that it didn't meet their security standards. That's because mine are higher.