franc11s

I work in IT but I do worry about one day, being a target. I keep all my passwords secure but it seems, this is just getting worse, not better...

We need something better than passwords.....

http://money.cnn.com/2005/11/07/tech...kers/index.htm

BigDavyG

Surely brokerages should only allow withdraws to the accounts or cards that were used to deposit the cash in the first place. That's what most on-line gambling sites do.

anotherlimey

What do people expect when all you need to access bank/brokerage sites is a username and password?

ironporer

I keep waiting for the day when I can buy a $39.99 thumbprint scanner or similar and do away with all the god damn passwords.

It is so bad that at work I have to keep a list inside my desk of all the pw for my different customer's web sites, the mainframe, email, bank, 401-k, blue cross, pay pal, etc etc. Kinda defeats the purpose methinks.

BigDavyG

Ahh, the mianframe. It used to be that I couldn't wait to move on to something new. Then they moved me onto a CMM team - now I long for the green screens again.

I keep all my passwords in a text file stored on cd at home - real pain in the ass though. I also let mozilla remember most of them for me which probably isn't a smart thing to do.

Elvira

It's very difficult to keep up with passwords and usernames. It's virtually imossible to have the same PW for everything as so many sites have different requirements in terms of length, including numbers etc. In any event, it's probably not smart to have just one PW anyway.

The problem is, with over a dozen passwords and different user names, most people probably write them down somewhere - which in turn reduces security. So one is in a kind of no-win situation.

BritGuyTN

Financial institutions would do well to implement 2 factor authentication such as RSA secureID or other token-based offering

Bank of america is pretty crap, just requiring a simmple username and password

at least most Uk orgs need three types of password for authentication

fatbrit

The best idea I ever used for password security to a financial site was in my second home in the backwaters of former communist Europe.

The access to the bank site we used worked like this:
* You entered a standard username and password on the front page
* You went through to a secondary log in page which required another password.
* The bank instantly text messaged the one-time secondary password to your cell phone.
They had a couple of things working for them in implementing this system. Firstly the state telephone company was so bad that everybody had a cell phone, secondly there were only two cell phone companies, and thirdly neither company charged for receiving text messages.
I thought it was an excellent idea -- caused us endless problems trying to run the account from the States, though!

Also, have noticed recently Ingdirect have changed their log on system. You now need to enter your pin using a mouse. Presumably stops keyboard loggers picking up your pin.

anotherlimey

Writing down your passwords isn't necessarily a bad idea, it allows you to keep track of many complex passwords.

anotherlimey

Doesn't stop the screen grabbers from logging picture and your mouseclicks though.

I'd go with the RSA solution above if I owned a bank.

Bob

You can get cheapo thumbprint scanners that'll do the job for stuff your end...doesn't help with the bank though....but speaking of, a mate did that for a major project at uni, worked a treat, but when he tried touting it to banks, they wouldn't have anything to do with it because of data protection and all that personal info, having to store peoples thumbprints....but basically it encrypted the data like current passwords, but worked rather quickly even scanning a massive database...admittedly his huge database was filled with rubbish, but it proved a point.

franc11s

FYI - A cheap trick for passwords is to use numbers for like letters :-


L becomes a 1
E is a 3 (E backwards)
S is a 5
h is a 4
O is a zero
B is an 8
etc., do something that is OBVIOUS to YOU, not to others.

For capital letters use 2 of the numbers where each letter would be. Use 3 letters for financial sites. So if you password is lemon it could be 13m0n or 111333m000n

Also, you don't have to write down the password, you could right down yellow favorite....

Now to come up with the password in the first place, pick a theme and for 3-6 months (or longer) keep that Theme for all passwords..

It means you don't have to write stuff down... because YOU will remember YOUR theme. Pick a simple or complex theme....

Say the theme is favourite foods..

c41ck3en or c4411ck33en (chicken)
v1nda100 or v11nda110000 (vindaloo)

or a complex theme like rhyming slang

wh15tl3 (whistle and flute - suit)
d0gandb0n3 (Dog and bone - phone)

or grand parents middle names

or weird topics..

Ok, you get the point...

I never forget a password, I now only forget the user id so I have to write that down... but I do a password hint to the real item but even if someone guessed it, they won' t know your number replacement scheme..

Roadster280

I bank with First Direct in the UK. They have multiple methods of authentication. First, you need your postcode or customer ID (If an expat, so no postcode). You also need your name and initials, account number is no good. Then you have a password, and three or four secondary questions (which I won't go into for obvious reasons, but simple things like "favourite colour"). For someone to spoof a client, they would need to know all of this info, because they always ask for a different combination of these items, and never the whole password, just three letters of it.

Works for me, I feel that it is secure, and that the things are easy to remember (except the bloody customer ID!). Noone would be able to guess the answers to the secondary questions.

anotherlimey

Or they could just have had a screen capture program and keylogger on your PC for a few weeks.

BritGuyTN

hopefully the fact that you have up to date

AV
anti-spyware
windows updates
windows firewall

will mean that this kind of malware are not on your system

keeping systems secure is actually very straightforward, disinfecting one with horrible spyware that got in before the above measures is more challenging