Since I am a consumer of online financial services (banking, investment, etc) and also work with financial service providers in that area, I’ve had the opportunity to sample a large number of username/password security schemes. It’s a no-brainer to prevent users from doing the obviously silly, like making their password the same as their login or having a two-character password. Unfortunately, many security scheme designers forget that their website is only one of many that users engage with, and foist schemes on their users that are irritating at best and possibly counterproductive at worst.

Many sites now defeat form autocompletion for username fields as well as password fields. Sorry, no I don’t remember what username I picked when I signed up with you– especially if you wouldn’t let me use my first or second choice.

One credit card company I use disallows special characters in their online account passwords. That means I had to choose a password that is actually weaker than I prefer, and it doesn’t fit the mnemonics I use to remember this stuff. That means I can either go through the password reset process a lot (irritating), guess and hope I don’t get it wrong enough times to lock out the account (also irritating), or write it down somewhere (insecure).

Same problem with sites that force periodic password changes.

Most username/password schemes are clearly meant to deal with brute force or lucky guess attacks, and of course that is a legitimate concern. However, the more complicated these schemes get and the more they vary between sites, the more users will start finding insecure coping strategies– like writing things down on paper. Now your complicated, unguessable password is out there in plaintext for everyone to see. Oops!

The limits of human memory and patience are just as much of an issue as more “obvious” security risks.

One online bank, ING Direct, has an interesting security approach that I have not seen elsewhere.  Users log in with a customer number and short ATM-style PIN. The PIN is entered either by clicking numbered  buttons or typing letter equivalents that rotate with each visit. The site tracks the user’s IP address and (IIRC) requires further validation if the IP is new. In addition, as an anti-phishing measure the site shows the user a picture and phrase they picked when setting up the account. With this approach, ING maintains account security and a smooth user experience.

This entry was posted on Saturday, April 5th, 2008 at 12:25 and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.