Security

[firstfrost]

So, under ilhander's guidance, I got harrock a suit for his birthday, which was not at all recently, but I have been lame and scheduling the three of us for a shopping trip has been kind of slow. Anyway, they lured me into applying for a credit card with Large Discounts for the suit, which was kind of worth it. The card arrived in the mail, and I went to pay the bill on line. Creating my account with them involved:

1) Verifying my identity, with all the standard types of questions.
2) Choosing a password, with a different set of character restrictions than the usual password restrictions
3) Selecting three different Security Questions, each chosen from a different population of six (what street did my grandmother live on? I don't know!)
4) Choosing a personalized caption for the Security Image that they chose for me. I'm really confused by this one. It looks like when I log into their site again in the future, they will display this image and caption to me. For... reassurance? Really, I'm not reassured by them showing me an image they picked for me and a caption that I chose when I didn't know what it was for. Am I supposed to keep this image a Secret? Do I have to remember what it is?

Baffling.

Comments

[dpolicar]

well, it reassures you that when you connect to their website it really is their website?

[firstfrost.livejournal.com]

Maybe it's different for other people, but I'm pretty confident that if I go to their web site again in the future, and try to sign in, that I won't even notice if they stop displaying the random picture. And if I do notice, I'm going to think "Huh, they changed their web site", not "Oh, no, someone has stolen their address and put up a fake site!"

I guess I understand what you mean, though. I'm making them prove that they know a secret (the caption I typed) before I tell them any secrets (my password). But, since I'm not yet trained to require that, it doesn't help me *feel* more secure.

[algorithmancy.livejournal.com]

B of A started doing that a while back. They let you pick your picture from a collection of them. I can kind of see how it helps protect against phishing, though I'm not precisely sure how they keep a site from putting up some facade that makes real requests into their site and passes them through.

[chenoameg.livejournal.com]

Yeah, I have several sites that require pictures now. Happily for me I can choose a theme and all of my pictures are related.

The security questions are a doozy. I just end up writing down the answers; I know someone else who uses the same answer for all of them.

[kirisutogomen.livejournal.com]

If you answer the security questions as expected, it's significantly less secure than any password that isn't "password123". Bruce Schneier says he answers security questions by just banging randomly on the keyboard, and that seems to me to be the most reasonable plan.

[countertorque.livejournal.com]

Is it that easy to figure out my mother's maiden name?

[desireearmfeldt]

Yeah, I believe the point is to show you it's not a fake website.

I dunno, I notice the presence of the image on Vanguard's site, but you're right that I might not notice its absence. :)

[mjperson.livejournal.com]

Think of it like a password. You tell them a password, and everytime you connect, you expect them to tell the password back to you before you will do business with them.

Of course, they think you are not clever enough to remember the password yourself, so they make it a caption to a picture. Then you see the picture, you remember the caption you made up, and you see that they know it.

[brass-rat.livejournal.com]

2) Choosing a password, with a different set of character restrictions than the usual password restrictions

Why are there so many web sites that disallow a portion of our character set (eg., punctuation) in their passwords? Yes, this is a pet peeve of mine.

[firstfrost.livejournal.com]

I think it's the lazy way of preventing sql injections. :)