K7 Computing founder Jayaraman Kesavardhanan talks about how the setting up of secure passwords is still not quite as straight forward as it perhaps should be.
Because of what I do, sometimes people ask me about my opinion on a few issues. Often I am asked what I think about the security practices of organizations such as banks. This is effectively asking me, “Can I trust the online access etc mechanisms at the XYZ bank(s)?”
Needless to add I can hardly answer such a question. I make generic statements about security of online transactions being higher than assumed and that of off-line transactions lower than assumed. Embellished with some anecdotes this is often enough to get me off this question.
Recently I had a more serious conversation with a friend of mine. He is an old Unix-hand and is generally a `power user’. He had attempted to use the online account of a bank and true to his style, he used a tool (pwgen, if my recall serves me right). He prides himself on not writing down passwords etc and chose to generate a fairly strong non-pronounceable password. He spent nearly 20 minutes to memorize it and proceeded to set-up his online account. To his chagrin, the bank’s password validator rejected his password! Reason: no numerals. Despite the length and a mix of case and a generous helping of special characters the lack of a numeral triggered the rejection. He was quite bemused and even mildly upset. Having spent a lot of time on a potentially low usage issue, he decided to give up–I suspect it was as much due his inability to use the wonderful password he had generated and memorised.
As per his statement this was a few months ago. A few days back, he had occasion to visit the brick and mortar branch of the bank. While he was talking to an executive at the counter, another executive at the next counter complained that she was unable to log on to the system and the executive attending to my friend said to her, “Oh! The new password is XYZPQ123”. The XYZPQ, where the initials of the bank. This was said in a fairly conversational and slightly loud tone to be heard above the usual bustle of a busy bank floor.
My friend was so annoyed and amused he laughed out loud, so loud that the executive attending on him solicitously asked him if he needed help. My friend considered explaining as to how his bank needed help and wisely refrained at the last minute and pleaded an attack of a humorous recollection.
After the narration he gave me a “What are we supposed to do?” look. I told him I wish I knew.
PS: After I decided to write this blog entry, I called up my friend and told him that I was writing it up and he drew my attention to this article. (SIGH) Maybe I should change my opinion on writing HOW-TOs on passwords on our site!