Please excuse the OTness/daftness . . . I've just opened an online Post Office savings account. They sent me a user ID, and a 6 figure password in a security envelope.
Having entered the site once my web browser autocompletes the user ID, then I have to enter 3 of my password digits - the remaining three randomly blank.
How secure is this? it seems very loose compared to the NatWest version (bday-ID-password-2ndID).
Thank, Rob
You can disable that.
If someone installed a keylogger on your PC, or eavesdropped your WiFi, for example, they would get your complete NatWest ID and password in one go, instead of just 3 digits.
MBQ
In message , Rob wrote
The first thing you change is your password! And you should change it a regular intervals
How may characters do they allow in a password?
If you always have to enter all of "bday-ID-password-2ndID" then someone hijacking your connection will have everything they need every time you use your account.
With your new account and, say, a 20 character password then any observer is only going to get 3 random characters in you password each time.
Furthermore, you should always configure your own computer not to remember userID/passwords in case of theft of the machine or if others in your household have access to it.
Actually, my NatWest account (at least) requires ID, then (on a separate screen), 3 digits from my PIN, and then 3 characters from my password.
Remember, don't do online banking a) over WiFi, or b) from Windows.
I hate the systems that want 2nd, 5th and 6th (or whatever) letters of a password/phrase. I can't do that in my head, finger counting is unreliable for some reason, probably because spolling is not one of my stronge points. What *is* 100% relable is writing the word/phrase down and putting numbers against each character...
In message , Alan writes
IME for things like banks etc. where security is especially important it's nothing as single as a user ID/password combo anymore.
Eg, for my Nationwide accounts there is an Account ID no, a piece of memorable information (which could be anything really) which is type in. And then a 6 digit passcode, of which you have to enter 3 of the digits as prompted, from drop down lists. The intention being that you use a mouse for this, presumably to avoid the issue of keyloggers.
Our Smile account requires account no, 2 pieces of memorable info (names, schools, dates etc.) out of 3 or 4 to be typed in, and then a simialr drop down selection for a digits from a passcode.
It makes it a bit harder to just change a password regularly, but then they probably recognise that most people won't choose a secure enough password and won't change it regularly either.
>
I find using a familiar postcode (Certainly not my own!!!) makes it easier to remember.
Usually the 3 characters are from a drop down menu. Keyloggers won't get these.
Definitely.
I know the above is a bit of a bugbear for you - and it's all very well but most of the population in the real world do use Windows exclusively; so while not disputing the sentiment, the broadbrush advice not to use it with online banking just doesn't wash unfortunatly.
David
And due to inconvenient positioning of master sockets and routers, combined with a hatred of wires, lots *only* have WiFi, and don't change the security settings on the router from the supplied defaults.
Alan :
I think for most people that would be overkill. I have many user names and passwords that pose no threat to my security but it would be inconvenient for me to have to enter every time. I prefer to have my browser remember as many of those as possible. I even use a browser add- on to allow the browser to remember login details for pages which have been specifically designed to prevent this.
*However* things are different with the user names and passwords that I really care about, such as online banking. For those I use a different browser. I've downloaded a copy of Google Chrome (probably the smallest and most secure mainstream browser there is) and created a shortcut to start it in "stealth" mode. So it remembers nothing - not even which sites I've visited. I use that for banking and other confidential sites only.For me that arrangement provides the right balance between convenience and security. The main threat I'm guarding against is malware rather than theft (my computer is securely attached to my desk). Any attempt to protect against others in the household would ultimately be futile.
Such people clearly don't recognise or want to face up to the security problem. For those that do, there are always Homeplugs.
Not with One
Not with any I've used. One Account, A&L, Tesco, plus others.
MBQ
I've played with it and it seems good y0u-()nly,n33d-to_remember+1-decent#password with mixed characters. Also, there is a version for memory sticks in case you have to use the office machine
John
My account has been compromised twice, and on both occasions it was nothing to do with online activity. The bank wouldn't reveal the gory details but their admission that "a lot of people have been affected" suggests internal fraud was to blame. The idea that the customer is somehow at fault is mainly bank propaganda to cover up their own security problems. I copy and paste passwords from an encrypted USB stick, but who knows whether that foils the evil sprites allegedly lurking in every nook and cranny.
And it works with linux and windows (I have both on my stick).
Agreed - To log into the banks, I need the only copy of my KeepassX database which is on a very robust USB key (waterproof ali can type) which lives on my main key bundle - plus a mentally long passphrase.
My bank passwords are the longest allowed and randomly generate crap that no-one would even be able to remember if they saw them once let alone guess.
The only thing that concerned me is that, when I last browsed the source code, I couldn't see any attempt to mlock() (whatever the Windows equivalent is) the decrypted buffer.
This means that there is a slight chance that the decrypted passwords might end up on disk in the swapfile - though I suspect they are wiped (must check) fairly quickly.
That's better than I thought - the same encrypted file of passwords can be opened from both ubuntu and windows (an macs) that's very good, and it can be backed up safely I guess, any drawbacks?
[g]HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.