July 10, 2012

Password policies do not enforce security

You know there are problems with an “online” service when you have to make a phone call in order to log in.

I’ve just had such an experience when attempting to log into Barclaycard’s online services. To log in you need to know your user ID, a numeric passcode and a memorable word, all of which I had forgotten (I used the service about 2 months ago).

The issue isn’t that they require you to enter this information, indeed many banks have similar log in systems (Santander also require 3 codes/passwords).

The problem is that the policies around these security codes do not make sense, and certainly don’t encourage security.

In Barclaycard’s case your passcode CANNOT be:

  • Your date of birth
  • More than 3 consecutive numbers
  • More than 2 repeated characters in a row

I don’t particularly agree with the last rule but about the final rule:

  • Your passcode must be 6 digits long

Setting a minimum length is pretty standard these days, but setting a maximum length?! How many memorable sequences of numbers do you have that meet these requirements? I imagine quite a few, but I can guarantee most of them are the birth dates of people you know.

So effectively this may as well say:

“Please enter the birth date of someone that you know”

Password policies do not enforce security. Whilst they may produce passwords that are more complex, they also produce passwords that are:

  1. Easily forgettable
  2. Less secure than memorable (personal) passwords
  3. Written down

The second point is debatable but I would argue that from a human perspective, the phrase “Anglesey” is more secure than “B0uncy1”. This is because the first phrase is something that is personal to me (a memorable holiday I went on with my Grandparents as a child (and no I don’t use this as a password)). The second is just a common word with a few characters replaced by numbers.

Yes friends and family may know about this personal event, but to be honest, these aren’t the people I’m worried about hacking into my bank account.

The third point is incredibly common. How many people do you know (yourself included) that have a notepad or scrap of paper with all their “secure” passwords on? I’ve just done exactly this for my barclaycard passwords, not because I’m ignorant to the dangers of doing it, but because I know that there is no way I’ll remember these 3 passwords/phrases next time I log in.

This isn’t just a dig at Barclaycard, there are probably thousands of online services that have similar issues. The most common one is requiring that people register a username instead of just using their email address.

So how can improve the login/registration experience without comprimising on security.

  • Allow people to choose passwords that are memorable to them
  • Add rules that make sense (e.g. minimum length) but remove those that don’t (e.g. not allowing numbers).
  • Text a login code to the users mobile each time they want to log in. Google have recently started doing this and it works very well (note: you still need to know your email address and password).
  • Instead of memorable words, ask the user to upload a memorable image and then display amongst a random set of images. This type of security can’t be guessed by a computer and is unlikely to be guessed by many people (and we still have the other security steps in place to keep them out).

Rant over.

© 2022 Ben Foster