(see http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx for more info)
I can understand the cost and legal pressures that prompted this change, but that doesn't mean I have to like it. The current expert advice for preventing research attacks on challenge questions and maintaining your sanity ("did I capitalize 'Virginia' "?) is to simply make the answers the same, either use your strong password if the challenge response is used to reset your password, or the site name if it's used after your password/access code.
When I tried to do this, I was informed that I could not reuse any of the last 5 passwords used on your site. This is "not even wrong", and you should read "why software sucks" by david platt. http://www.whysoftwaresucks.com/ It's a good read. The last 5 passwords? Are you kidding? Its better to make one strong password for all financial sites, and until you can come up with a good way to do single sign on between all these websites (many have tried and failed) "that dog just aint gonna hunt".
Your site is used a handful of times a year, and no human can be expected to remember the myriad of financial website's passwords if they need to change periodically. It's also inappropriate for you to assume we'll write them down, or god-forbid, store them on disk somewhere (unless it's your wi-fi password - if someone can get to that, wifi is the least of your worries).
For now, I'll contact a much more expensive human representative over the phone if I need to conduct business with you. Maybe if things affect your bottom line enough, you'll take note.
FYI: to create a strong password - come up with a memorable phrase, like "You would think a security expert would know better." Then take each first letter, ywtasewkb, then alternate caps in some pattern, YwTaSeWkB, then throw in a number or two or some other character so you'll make all the different sites happy. 'YwTaSeWkB2@'. Or pick the last character. Whatever you feel like. Set all your financial website passwords to the same thing, and you'll end up typing it every day. Reboot once a year to feel really good. Make sure you use a different password for all your email addresses/ social networking sites. Enjoy :)
-- Claire
3 comments:
I so hear you. I hate the sallie Mae site every month i go there to make a payment.
I somehow doubt this is a post from Claire! Erik and I have discussed my frustration with this kind of thing, even at my work! Grrrrr. Have a great week!
Ok...we thought it would be funny to say I had written the post. You got us Cyn!
Post a Comment