Tuesday, August 7, 2007

Password etiquette

I'm standing in queue at my bank to encash a self cheque, because, for once, the transaction has to be done faster than online transfer between banks affords.

My signature barely matches what the bank insists it is. In about five years of holding this account, I'm yet to finish my first cheque book. I do all my transacting online. My password is my signature.

I use a different password everywhere. I remember all my passwords, or at least all the more frequently used ones, trusting the rest to a password manager.

I never change passwords. My method of remembering tens of unique passwords doesn't work when they have to change.

And so when a site demands a password change every fifteen days as security precaution, my system breaks down entirely. I cycle through the same three passwords across all such sites. My account's security is actually weakened as a result.

Some may say that this will all change with biometrics. I don't buy that. Biometrics will face far more resistance than passwords because it conflates identity with authorisation. It requires changing the fundamental trust patterns of society, which is not an easy sale.

We're going to be a password-based society for some time. How long will it be before a class on password management becomes as elementary as one on letter writing in school?
  1. 4:01 PM
  2. Visit Original →
LiveJournal
  • Avatar

    skjaidev — Aug 7, 2007 4:58:40 PM — #

    For sites that require changing passwords every 15 days, I change password twice when I have to and revert to my original one. Thankfully most of these don't remember previous passwords / md5 etc. BTW, NSE/SEBI requires 15 day password expiry for all online trading accounts.

    I'm gonna resist biometrics as long as I can. I'd rather have my eye / finger than my money / email.
    • Avatar

      chaitrasuresh — Aug 8, 2007 1:06:08 AM — #

      What do you do when at work, you're asked to reset your password every month and that new password takes one whole day to 'percolate' into every place that might need it(CVS, intranet blah blah) and you're forced to remember both the passwords in the meantime and keep doing hit-miss thingie!!! :( !(*&(#*%@#@
      • Avatar

        vaishaksuresh — Aug 8, 2007 9:09:46 AM — #

        We have to change our password every 45 days or so, and it percolates in 15 min or less. bu the problem is that you cannot repeat the past 12 passwords :(
  • Avatar

    deponti — Aug 7, 2007 9:18:13 PM — #

    "Some may say that this will all change with biometrics. I don't buy that. Biometrics will face far more resistance than passwords because it conflates identity with authorisation. It requires changing the fundamental trust patterns of society, which is not an easy sale."


    Could you explain that...I didn't understand...I,personally, would like biometrics, because my iris or my finger is unique...
    • Avatar

      Kiran Jonnalagadda — Aug 7, 2007 10:59:26 PM — #

      Your biometric signature is a facet of your identity. That means if it is ever stolen, you can't do anything about it.

      The hardware device you interface with, whether a fingerprint scanner or iris scanner, converts your physical characteristics into a stream of bytes. The rest of the system depends on those bytes, not your actual physical characteristics. Those bytes are just like a password, except they never change. The same password everywhere, for all your life. And because they're digital bytes, a copy can be perfectly reproduced.

      A signature or a password is a form of authorisation. You supply them to indicate you are authorising something. You are not your signature or password. Biometric authentication does not differentiate between the two.

      When identity and authorisation are separate, you can do things like signing a blank cheque for a joint account or giving your daughter your ATM card with the PIN number to withdraw some money. You can't do anything of the sort with biometrics.

      The deal breaker is not in how secure or insecure something is, but in the fact that it requires you to change the ways in which you trust and deal with the people around you to be able to use this technology.
      • Avatar

        deponti — Aug 7, 2007 11:32:41 PM — #

        Thanks, that explained it much better. I had thought only as far as recognition, and had not thought of the digitalization which can then, as you say, be replicated...

        You make me think, Jace, and thank you for that.
      • Avatar

        fus — Aug 9, 2007 10:10:04 PM — #

        i disagree
        offline
  • Avatar

    jbritto — Aug 7, 2007 11:47:54 PM — #

    I was totally annoyed when icicidirect started insisting that I change the password every fourteen days. Apparently some bright soul at the NSE thought that this was the best way to increase security.
  • Avatar

    teemus — Aug 8, 2007 5:30:07 PM — #

    I like HSBC's approach to online banking - password + RSA token.
  • Avatar

    thaths — Aug 11, 2007 4:35:45 AM — #

    Can you recommend a good password manager on OSX? Something that can interoperate with Revelation password manager would be nice, but not required.

    • Avatar

      Kiran Jonnalagadda — Aug 11, 2007 9:04:21 AM — #

      I'm quite happy with OSX's Keychain Access, the in-built manager.
  • Avatar

    januarybitch — Aug 15, 2007 6:23:20 PM — #

    I guess forgetting your password is a problem that can be solved easier as compared to getting pulled up cos the signature on the cheque you issued doesnt match the signature that you had initially submitted...4 years ago!

Leave a Reply

You can respond with a photo by tagging it on Flickr with