Security is totally important. Having had my bank account compromised not once, but twice drove that point home.
But web security is stupid.
First, there is the whole password thing. There are rules, in general, plus site specific rules. Here is a list of just a few of these rules.
- Never use the same password in more than one place.
- Nothing guessable – aka, make sure you choose something you will never remember
- No real words, names or dates of significance
- Don’t write them down where anyone could access them
- Six character minimums
- 8 character minimums
- 8 character minimums with at least 1 number
- 8 character minimums with at least 1 number and 1 special character
- 8 character minimums with at least 1 number, 1 capital letter and 1 special character
- 8 character minimums with at least 1 number and the thumb print of your first-born daughter
- Security questions
- Mobile phone linking
- GPS identification
- UNlinking GPS
- Security pictures
I admit to breaking the rules. For pretty much anything that doesn’t contain banking info, or any other sensitive stuff, I use the same 3 passwords. I know. I am a sinner. It’ll totally suck when someone takes over my Pinterest account. Then there is that stray site that keeps no personal info, but they take their security too seriously, they throw the number or special character rule at you.
So it’s the same-old with a 1 somewhere. Or a 0. Crap, maybe it was a 3. Dammit.
And which site does that? I can never remember until I try the 3 standards and get locked out because there is a three strike rule. Oop, now I gotta reset it.
Buuuut, now I have to remember which email I used to register. My work email? My personal one? The one I use for writing? Or the one I have on Yahoo if I want to register for a site I suspect is a spam factory? (This last is wise, that inbox usually has about 75 emails a day.)
And if I finally get that right?
These come in 2 flavors – crap anyone could look up on the internet in 5 minutes, or crap that is so obscure I’ll never remember my answer. Oh, ho, and let’s make sure those buggers are case-sensitive.
Which brings me around to my reason for this little rant this morning.
My bank. And their “new and improved” client portal.
Yesterday I logged on — or tried to — to find it looking reeeeally strange. So strange, that I called them to verify that I was in the right place and they hadn’t been hacked.
‘Cause, you know – security.
Yup, new site, complete with new log in procedures.
I logged in to find I had to select answers to 3 of 5 available security questions.
I had to choose from my favorite city, favorite wine, favorite song, favorite food or favorite some other damn thing I can’t remember, which is awesome because it was one of my questions.
But I don’t have favorites of any of those things. I pretty much never drink wine, I hate cities and the others vary with the seasons, my mood and a host of other variables.
This is awesome. Odds of me remembering my answers when I forget my password are not good.
So let’s go ahead and up the ante…next I had to create a security phrase. No guidelines, no requirements that could jog my memory later, just a phrase.
Are you kidding me?
I bet any of you can guess my phrase.
Oh! Oh! But we’re not done. Now I have to select a security picture. Here are 4 to choose from, not one of which holds any significance or resonance for me.
There. I have now completed the process of making my bank account completely inaccessible to me.
And so, because I know myself, I posted this to Facebook:
Went to log on this morning to see if payroll went through, and BOOM security question.
I have to answer the security question even when I DIDN’T forget my password???
Could I answer it?
So here is a little advice for you web developers out there. When you are setting up security requirements, know these things:
No matter how many password rules you set, there will be dipshits that use passwords my 5 year-old could guess. The rest of us will use appropriate levels of caution for the content and your requirements make us hate you a little bit.
Those security questions would be a hell of a lot more secure if things like the city I was born in, or my mother’s maiden name weren’t choices. Those are a matter of public record. Uhhhh. . .
How about you let us create our OWN questions? That way, we might actually know the answer. And you can bet your ass that the questions I would ask myself could pretty much ONLY be answered by me.
See how that works there?