My bank requires 8 to 10 characters, [a-z]|[A-Z]|[0-9] only.
They also require you to know something easily researched from facebook (elementary school, mother's maiden name, etc.) when you use a new machine.
That they refer to this as two factor authentication makes me question their ability to do simple addition, something I consider a fairly important skill for a bank.
That was another point I meant to raise. Even if your password policy and weak-password checks are sane, if your account recovery procedure is weak, there are still planet-sized holes in your security perimeter.
And for any large system (say, Facebook, with, oh, nearly a billion accounts), user support requests (many of which are access related) are a huge cost. It doesn't take many of these to eat through $2-$5/account/year value they're seeing.
Not that it excuses this so-called security, but for the insecurity question, you could just lie. Only problem is, then you have to remember your lies.
> They also require you to know something easily researched from facebook (elementary school, mother's maiden name, etc.)
I'll never understand why someone would provide this information to Facebook. My friends already know the details of my life relevant to our relationship.
maybe because they're part of a "$foo High School class of '99" group/page/whatever with some friends, or perhaps both parents and grandparents are linked as friends, making it pretty easy to figure out mother's pre-marriage surname?
It's not just the explicit facts you provide, a significant part of the deeper value is from the linkages between them.
Unfortunately, many banking web sites require short passwords with no special characters. Likely, due to legacy databases and storage. I've even seen 6 character max restrictions. Or worse, the 4-digit pin ones (10,000 combinations yikes, I sure hope they have a limit and lockout for incorrect guesses).
Oh god, PIN codes... Two years ago my girlfriend and I had to go to our banks and get cash. Luckily they're right across the street from each other, so we walk in to mine first. I go to the ATM, tap in my pin, do my thing and we move across the street. I'm standing by the door while my girlfriend goes to the machine. I'm still fiddling with the receipts in my pocket and whatever when I hear something. The ATM, plastered in signs to cover your screen, not let anyone see you putting in your pin, etc.– was calling the tones on the speaker. Anyone who cared to listen could hear her pin. I've yet to encounter another machine that does that, but man– if I ever got a hold of the who decided that a 4-digit pin was a good idea for security there would be quite an unpleasant exchange...
That would be Caroline Shepherd-Baron [1234] 'One by-product of inventing the first cash machine was the concept of the Pin number.
Mr Shepherd-Barron came up with the idea when he realised that he could remember his six-figure army number. But he decided to check that with his wife, Caroline.
"Over the kitchen table, she said she could only remember four figures, so because of her, four figures became the world standard,"'
My bank upgraded from a 4-digit pin code authentication to a 6-letter ([a-zA-Z0-9]{4,6}) system. About legacy databases ...
Naturally, I complained and they told me it wasn't that big of a deal, because the actual transactions were protected by TAN generators. I had no answer to that.
Maybe I'm confused, but are they saying that you do use independent 2-factor authentication? If so, then that does reduce the risks associated with a weak password, even if it would be better to use a strong password in combination.
Sorry for being unclear. For the actual transactions, there is a TAN required, but for sniffing around your transactions, seeing all your bank account information and so on, all you need to log in as the 6-letter password.
"Passwords should not have more than 9 characters".
This from a financial institution.