Internet Security

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

Post Reply
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Internet Security

Post by Bill H »

Common thinking used to be that spam was going to render the Internet useless, but we seem to be dealing with it rather effectively. It remains annoying but nothing more than that.

What is rendering the Internet useless is Internet security measures, which have just gone berserk. I used to be able to monitor my home mortgage at the Citibank website, but no more. It requires me to change my password on a regular basis, and it has really abstruse requirements for passwords; letters, numbers, symbols, arrangements... It rejected everything I tried. It also has "security questions" including one about the name of my first dog. I've never owned a dog in my life, but apparently I made up some answer in the distant past to satisfy them. I have no idea what I made up, so it's back to monitoring my mortgage by telephone.

I used to be able to log into my bank account and view my business account, personal account, and the joint account which I maintain with my wife. No more. I now can view only one account at a time and must log in with a password and user name three separate times for "security reasons." I have asked that bank statements for two of the accounts be mailed to me, and will use online banking for only one account in the future.

Maybe security measures do need to be this unwieldy, in which case the usefulness of the Internet seems really questionable to me. Maybe we are better off doing business the "old fashioned way."
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Internet Security

Post by Apollo »

I partially agree, some companies take their 'security measures' way beyond sane, rather than actually fixing the real weak spots.

However,
Bill H wrote:Maybe we are better off doing business the "old fashioned way."
Hell no, we are most definitely not. No more messy paper business :)

Even the most arcane must-remember-a-zillion-passwords system is easily handled by simply storing the passwords (and other 'secret' info, like the name of your imaginary dog) in one protected place. There are sophisticated solutions to that, but even just a password protected (that is, AES-encrypted) WinRar or 7-Zip archive will do fine.

Advantages of this are
1. you'll never lose passwords anymore
2. you don't to store them in your head anymore, which saves headaches
3. it's no problem to change them frequently
4. it's no problem to use really difficult passwords, like M4eZ1g!o7b2L#s9BU)dFj (or whatever the particular site allows / requires)
5. no need to take the same or similar passwords for different services (which would make you more vulnerable)
6. no more typos or time wasted typing, as you can copy/paste everything

Make sure to remember 'the one' password though (the one for your archive) and backup the archive thoroughly :)
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Internet Security

Post by matthijs »

The only thing I do know is that there is a huge amount of work to be done on the whole architecture of how the internet and computers interacting with the internet work to make things more secure. If I see now how incredible easy it is for crackers to do malicious things, it's surprising things go reasonable well. The only factor limiting the amount of damage being done is the fact that the bad people need time to sleep as well.

I discourage friends and family who are not very computer-wise to do banking stuff on the internet. Even web developers I know have been infected with spy ware and viruses (with serious consequences, like stolen passwords etc). If even highly experienced people can be infected so easily, there are some serious problems.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Internet Security

Post by Benjamin »

Well.. all those increased security precautions are kind of mute. You can have the most complex password in the world, but a key-logger can fix that problem real quick. Also, take 1000 random websites. How many do you think have brute force detection?

These IT guys in charge of security don't want to get fired, or they want to “seem” smart, so they operate in "paranoid" mode. They are really doing themselves a disservice though. If I have to make a password so complex I can't remember it, I'm going to paste it in a file someplace. I'm also going to paste in that file what the password is for. Now the password is sitting there, waiting to be discovered.
User avatar
greyhoundcode
Forum Regular
Posts: 613
Joined: Mon Feb 11, 2008 4:22 am

Re: Internet Security

Post by greyhoundcode »

As an aside, while it's all well and good to be able to use whatever characters you like in a password, isn't enforcing it - you must have a symbol, you must have at least one uppercase letter etc - narrowing down the range of possible combinations?

Suppose it's a numbers game when it comes to brute forcing and perhaps it doesn't make that much difference :?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Internet Security

Post by Apollo »

greyhoundcode wrote:As an aside, while it's all well and good to be able to use whatever characters you like in a password, isn't enforcing it - you must have a symbol, you must have at least one uppercase letter etc - narrowing down the range of possible combinations?
Depends on length of password and number of allowed non-alphanumeric characters.

But either way, longer passwords is safer anyway than just enforcing a few symbols. A password of 20 random letters (even if you know it's lowercase only) has MUCH more combinations than a password of 10 random letters, numbers and symbols.

Nonetheless I always use lower- and uppercase, and some numbers and symbols. I use long, generated passwords only.
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Re: Internet Security

Post by Bill H »

I have a passwords file, which doesn't help much when their passwords rule is so abstruse that I am unable to even create a password that meets with their approval. I tried three times and it rejcted all three tries.

When I was first given a password, many years ago, I was told that, under penalty of dismissal, death, excommunication, exile and plague I must never write it down anywhere on anything at any time even for a moment, even if I then immediately burned it. In crime dramas there is always the "Aha, here's his password file" moment. So the very fact that we are having to write the passwords down is making a farce of the whole process. If it is written down someone can find it.

It also doesn't help with the issue that I have to log in and out three times in the same website to view three bank totals, all of which are in my name and which bear my social security number. But for "security reasons" they cannot tie those accounts together and let me access them simulaneously. We know, of course, that they actually can and that the bank just didn't want to pay for the extra prgramming that would be required.

The damage that crime does is not so much the money that it steals, but the way it changes the nature of society. The purpose of terrorism is not to destroy society, but to change it, and criminals change it in much the same manner. It makes members of society close in on themselves and the society become less of a coherent, cooperating entity, more of a milling mass of non-interacting individuals who don't trust each other; reflected, among other ways, in the way we transact communication on the web.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Internet Security

Post by Apollo »

Bill H wrote:If it is written down someone can find it.
Not if it's written down on an encrypted piece of virtual paper :)
It also doesn't help with the issue that I have to log in and out three times in the same website to view three bank totals, all of which are in my name and which bear my social security number. But for "security reasons" they cannot tie those accounts together and let me access them simulaneously. We know, of course, that they actually can and that the bank just didn't want to pay for the extra prgramming that would be required.
Agree, in my country you can access multiple accounts using one login with all major banks. If some bank (or any other company for that matter, where there's plenty of competition) would so obviously not care about my convenience, I would give them the finger and say "sticking with your ridiculous esoteric procedures is apparently more important to you than customer service, so you know what, I'll take my business elsewhere".

They'll learn soon enough when more customers start being selective on who they do business with.
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Re: Internet Security

Post by Bill H »

Not if it's written down on an encrypted piece of virtual paper
To which I can forget the password, so I have the password to that written down somewhere.
Or the password is so simple that I cannot forget it, in which case a half-witted cracker can crack it.
Or the "virtual paper" is on a disk that crashes. Which could have been avoided if I could have used passwords that I could remember.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Internet Security

Post by Apollo »

Bill H wrote:
Not if it's written down on an encrypted piece of virtual paper
To which I can forget the password, so I have the password to that written down somewhere.
Or the password is so simple that I cannot forget it, in which case a half-witted cracker can crack it.
Or the "virtual paper" is on a disk that crashes. Which could have been avoided if I could have used passwords that I could remember.
The password to the encrypted storage is the only password you have to remember by head. And you'll use it so often that you won't forget it. And it's completely made up by your own rules, so it doesn't have to be difficult to remember, yet hard to guess. If you want, you can simply write down a hint somewhere that will only help you.

And obviously you should backup the encrypted storage frequently, preferably on locations outside your home or office.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Re: Internet Security

Post by alex.barylski »

I agree 110%.

While security is most important, usability is even more. When an application effectively becomes useless all the security in the world won't mean squat. 100% of nothing is still nothing. :P

The problem is, I rarely think security experts are usability experts, and rightly so. These cases mentioned above are just examples of poor management.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Internet Security

Post by califdon »

Interesting thread. I agree with most all the comments. But why would you expect these companies to respect their online customers any more than they respect their face-to-face customers? It would be interesting to do a correlation between companies that have a bad customer relations reputation and the kind of web and security features they offer. Several of you have mentioned the "one secure database for all your passwords" concept, and I've been using KeePass for over a year now and like it. It's freeware, but nicely designed, once you figure out a few little wrinkles. http://keepass.info/download.html
User avatar
Stryks
Forum Regular
Posts: 746
Joined: Wed Jan 14, 2004 5:06 pm

Re: Internet Security

Post by Stryks »

Ha ... I just had a 15 year old moment. keepass. Ahhh ... :roll:

But on topic ... you also have to look at it from the banks point of view. They have customers who are running short of trust, as much towards financial institutions as to the internet itself.

So, you come up with a value proposition. You want to make it appear that you can be trusted and that you are actually doing something for all those fees and charges. So you make an overly complex system, purely because the average user won't be aware that it's pointless and mistake it for an ultra-secure facility.

Much the same theory as giving a new product a high price point to give the illusion of value. I mean, if you saw two boxes with identical looking products, one for $5 and the other for $25 ... well ... the latter must be the better ... yes? Similarly, if you have to jump through hoops for security ... well ... it *must* be more secure.

Either way, they seem to flop around trying to come up with the best solution. My pet peeve about most of them is ... why, oh why, must you resize my browser to be windowed at full screen size. I HATE that. Leave my damn browser alone.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Internet Security

Post by califdon »

Stryks wrote:Ha ... I just had a 15 year old moment. keepass. Ahhh ... :roll:
No kidding, it's that old? I had no idea. It does seem to do the job pretty effortlessly, and probably as secure as any other scheme I can think of.

I have the same gripe about window resizing, including a few sites that inexplicably pop up a window that's obviously too small for its content, so it forces me to widen the window to even read what it says. You gotta admit, there's some pretty dumb web designers out there!
User avatar
Bill H
DevNet Resident
Posts: 1136
Joined: Sat Jun 01, 2002 10:16 am
Location: San Diego CA
Contact:

Re: Internet Security

Post by Bill H »

I guess part of my beef is that the bank is making me change my password at the bank's interval, with the bank's requirements, when it is really none of their freaking business. I am not some toddler that is still wearing diapers and cannot accept the responsibility for taking care of myself. The security of my assets is my responsibility and they are treating me as if I am not smart enough to make my own decisions as to the level of security I need.

This big brother mentality is getting out of control. Requiring a helmet while riding a mototcycle is one thing. The costs of injury are borne by society if the rider is not insured, and by those who pay insurance premiums if the rider is insured. But this increasing business of printing warnings of liability on the helmets of professional football players, for instance, and deciding for bank users what level of security they will have whether they want it or not, and taking shoes off to get on airplanes, and cancelling a flight because one of the passengers was speaking a foreign language...

Give me a break.
Post Reply