back to article You call it 'hacking.' I call it 'investigation'

Here's a photo of what I had for lunch! Amazing!!! No it isn't amazing. It's your lunch. You gotta see the new 4k TV I bought today! Thanks for giving me a fascinating, if cursive, inventory of your consumer durables. Took Jonesy out for his walk and he chased a rabbit. Nice to have your pet's name. Could be useful. 28 …

  1. chivo243 Silver badge

    "a bit of a loner"

    Just call me Leonard "Lenny" Kosnowski...

  2. disgustedoftunbridgewells Silver badge

    I assumed the first video was going to be Turning Japanese by The Vapours.

  3. Franco Silver badge

    As I have posted here before, I have actually been accused in an interview (for an IT Security job) of having something to hide due to my very small online footprint.

    If I buy a pizza, it's to eat it. Not take pictures of it. Nor do I have any interest in other people pretending how great their life is compared to mine by the stream of selfies they post in "exotic" locations.

    1. Warm Braw Silver badge

      having something to hide due to my very small online footprint

      Well, you know what they say: small feet...

  4. Novex

    We're pretty much screwed anyway. Even if I try to take care where my personal information is held and that it isn't easy to get at, as long as someone else needs it and chooses to store it on Arsebook or Groogle, I can't stop a hacker getting it second-hand.

    When it comes to authentication with banks, we are asked to give them information so 'they know who they are talking to', but they seem resolute not to let us as consumers have the same confidence in them. Where's the password or memorable information I can ask for the first, fifth and eighth character from that they have to remember so that I know they aren't some scammer?

    1. Anonymous Coward
      Anonymous Coward

      Counter productive

      "... ask for the first, fifth and eighth character from that ..."

      It's easier to remember the entire password than it is the nth character. So how many people end up writing down their password just so they can work out which random characters to enter this time?

      1. Doctor Syntax Silver badge

        Re: Counter productive

        '"... ask for the first, fifth and eighth character from that ..."

        It's easier to remember the entire password than it is the nth character.'

        No need to write it down. The first character is 1, the fifth is 5 and the eighth is 8....

      2. David Nash Silver badge

        Re: Counter productive

        "It's easier to remember the entire password than it is the nth character"

        Not after 20 years with First Direct. I can tell them any "nth" character without thinking.

        1. John Tserkezis

          Re: Counter productive

          "Not after 20 years with First Direct. I can tell them any "nth" character without thinking."

          So you haven't changed your passphrase for 20 years?

          Good to know.

          1. Remy Redert

            Re: Counter productive

            Is there any way for them to verify the Nth character of the password without having the password stored in the clear somewhere? If so, is there any point changing the password regularly when it's being stored in the clear on the bank's side and thus available for hackers anyways?

      3. Mudslinger

        Re: Counter productive

        and when your online password is the same as your customer service password and not encrypted (yes pluusnet, I'm looking at you)...

    2. Doctor Syntax Silver badge

      "When it comes to authentication with banks... they seem resolute not to let us as consumers have the same confidence in them."

      I have had several phone conversations initiated, supposedly by HSBC, the then bankers for my then business which never got beyond my telling the caller I didn't believe they were from HSBC because they [cw]ouldn't prove it.

      1. tfewster Silver badge

        Re: HSBC

        Strange, as a personal customer and a few arguments about them proving who they were first, they found a way:

        "Our records say you were born on the nth day of the month; Could you confirm which month?"

        or

        "You have a standing order set up to $COMPANY. Can you tell me approximately how much it is for?"

        1. G7mzh

          Re: HSBC

          I used to work for a large credit company in their call centre; when we called people we were supposed to just ask for a couple of details to confirm that the person who answered the phone was who we wanted to speak to, but in practice we generally (unofficially) used a similar system - "I see you live in NW1, what's the rest of the postcode?" and so forth. If the person at the other end wasn't who we wanted, we hadn't given anything away.

          If they insisted, we asked them to call the number on their card.

      2. Allan George Dyer Silver badge

        It isn't working...

        When a bank asks me for my DoB to verify my identity, I've taken to demanding that they send me a birthday present at the appropriate time. Sadly, this hasn't resulted in an increase in the number of presents I receive.

      3. GrapeBunch Silver badge

        Ha ha. In long ago more innocent days, I got a call from an HSBC rep who suggested a better pigeon hole (still within HSBC of course) for some dosh. After a lot of discussion (she needed to convince me!), I agreed. Then she asked for whatever the security was at the time. "But you called me!" So the call and discussion turned out to be pointless. Hmm, maybe HSBC could corporately sponsor the TV quiz game, Pointless.

      4. CrazyOldCatMan Silver badge

        > didn't believe they were from HSBC because they [cw]ouldn't prove it.

        Yup - I've had those:

        [Telephone noise}

        >Hello, COCM here.

        "This is [your bank] - we would like to discuss stuff with you. But first, we need to determine if it's really you".

        >Can you prove you are from [your bank]? For example, can you tell me the last two digits of my bank account number? Can you tell me what the largest deposit (oo-er!) was in the last month?"

        "No - because we can't be sure that you are you. You could be not-you!".

        >Indeed. Same applies.

        "But, but - we're the BANK! We wouldn't lie to you!"

        >Cough, splutter, goodbye.

        [Cue telephone cutoff noises and queries from Mrs COCM about who I was speaking to. She seems to be nicely learning paranoia^W caution from me..]

    3. TheTor

      @Novex

      Santander online banking does, dunno about others. When you register, you pick a phrase, and picture that they show to you each time you login (after entering your personal customerId, before entering your username/password).

      1. cambsukguy

        And, in case you did not know, like me, Santander do the 2nd, 5th, 8th thing too now, but only for new customers it seemed.

        I noticed when my boy logged in. So I asked Santander if I could have the better log in please. They then just enrolled me (by sending a letter with the first part of the sequence).

        So now they have:

        1. Customer ID, you can set this how you wish but they give you a large number to start with. It is visible and not meant to really be secret.

        2. A picture and phrase, not really sure how this works, it always shows the same ones, I don't have to select them except when I chose them. I presume that, when another computer is used, they ask you to choose the correct ones.

        3. Selected characters from a password.

        4. Selected digits from a pass number.

        5. Answers to rather more complex questions than Mother's maiden name (for which I use a made up name BTW, why wouldn't you? just pick a movie star, anything reasonably memorable, they are not going to guess it in the tries available).

        Also, despite not wanting someone to see your bank account contents, taking the money requires a new transfer and this *does* require 2FA so it has additional security.

        Note: some years ago, someone called my bank using telephone banking and managed to enrol themselves into the new telephone banking security system and empty my account because, apparently, Santander had added secure telephone banking but did not require letters or on-line use before allowing it to be used. I had no idea it even existed since using the telephone to bank is as old-fashioned to me as using an abacus to calculate. This may be why Santander have a slightly superior system now. Yes, they did refund me and added £200 on top for my trouble.

        My view is that I prefer 2FA, despite the article, Russian hackers cannot easily steal my phone. If a phone is stolen and then hackers are informed so they can then use the 2FA, the time expired will almost certainly be enough to prevent access, especially when a phone is locked, I could probably remotely wipe it before they accessed it. As for hacking my phone while I have it, even less likely given the phone OS I use.

        Basically, you call the bank first when compromised, email accounts etc. pale in importance. I also know my phone isn't stolen when I log in to something like PayPal so the 2FA feels useful and very hard to defeat. My MS/cloud account is the same, first the password must be guessed and then the 2FA must be defeated, difficult; then you get to see my photographs and some invoices etc., not really worth it.

        I would feel hugely better if the Bank used 2FA on top of all the other stuff, simply because I find it very easy to use.

        It would be even cooler if they used the authenticator app system, already present, no text needed. But, being banks, they would have to have their own.

        1. NotBob

          Some banks use the picture as a way of identifying themselves to you. If you see the wrong picture, you either have the wrong account or it isn't actually your bank.

          1. disgustedoftunbridgewells Silver badge

            Tesco bank do that ( I have one of their credit cards ). I typed in the wrong username once and I got the wrong picture - I was quite confused at first.

            It did occur to me though, a phishing site would just proxy this image to their site. It doesn't add any security at all.

        2. Captain DaFt

          My ID setup with the bank is simple

          If they need to contact me, they send me a letter.*

          I show up, show my driver's license and bank card.

          Then we discuss things face to face.

          I see no need to change things.

          *Yes, snail mail.

          1. Anonymous Coward
            Anonymous Coward

            Re: My ID setup with the bank is simple

            "If they need to contact me, they send me a letter.*

            I show up, show my driver's license and bank card.

            Then we discuss things face to face.

            I see no need to change things.

            *Yes, snail mail."

            My bank is open Monday to Friday 9am-4.30pm.

            My working week is Monday to Friday 9am-5.30pm.

            This is extremely inconvenient. Even sorting out a mortgage necessitated taking a half day off.

            I do believe that in the big cities banks open on a Saturday morning! With the associated parking costs visiting a big city entails, or trying to work out which buses are actually running from and to the sticks on a weekend morning.

      2. Doctor Syntax Silver badge

        "you pick a phrase, and picture that they show to you each time you login"

        The issue here isn't logging in online (and, BTW what you describe online wouldn't prevent a man in the middle attack) it's about banks being able to prove their ID when they call you.

    4. IsJustabloke
      Facepalm

      "Where's the password or memorable information I can ask for the first, fifth and eighth character from that they have to remember so that I know they aren't some scammer?"

      I agree... I'm bored with having this conversation..

      Caller: can you tell me the 2nd and 3rd letters of your password?

      me: yes I can.

      Caller: Er...

      me: you called me, how do I know you are who say you are?

      Caller: well, if you pass security I can tell you what's its about.

      me: you called me.

      caller: you can ring this number... 083545473839

      me: *YOU* called me , why should I trust any number you give me?

      caller: but I'm from your bank!

      me: then prove it! You tell me what credentials you've got and I'll tell you if they're correct

      caller: I can't do that because of security

      me: Oh well.. bye then.

      1. cambsukguy

        They really should have a free number advertised on their bank site for you to call them when needed.

        Or just say that there is a secure message waiting for you on the bank account, like my bank does.

        I can't recall the last time my bank called me, it has been at least a decade.

        1. Anonymous Coward
          Anonymous Coward

          Or just say that there is a secure message waiting for you on the bank account, like my bank does.

          Dear cambsukguy,

          A New Secure Message Is Waiting For You. Click The Link To View.

          http://secureserver.yourbank.example.com/images/dodgyscript.php?id=123456

          Regards,

          Your Bank

          1. cambsukguy

            Obviously, you have no secure messaging with your bank, or don't use it.

            I was discussing a real, in use, system. It is not too complicated and works like this (you were close, but not close enough).

            From: pleasedonotreply@your.bank.co.uk

            To: your.address@your.email.com

            You have received a secure message.

            ...Followed by truly insane amounts of boilerplate disclaimer/registered addresses etc.

            I suppose actually saying 'Don't click anything in this message' would be pointless because that text might just be removed in a phishing email.

            This is a useful system obviating the need to keep checking on the site to see if they answered one's question.

            1. Squander Two

              > I suppose actually saying 'Don't click anything in this message' would be pointless because that text might just be removed in a phishing email.

              No, it gets users into the habit of seeing that message and so expecting that from their bank, which increases the likelihood of alarm bells ringing when it's not there. Although, personally, I don't think banks have done anything like enough to instill this lesson. There should've been primetime TV ads for the last decade just saying "Hi. This is a message from every single bank in the UK. We will never ever ever send any of our customers an email with a link in it. If you get an email with a link in it, it's not from us, and you should never click it."

              I've had the "But you called me!" argument with First Direct a couple of times -- except it wasn't an argument, as they just said "Sure, no problem. Call us on the usual number and ask to be put through to my department." Since they (unlike some) answer the phone dead quickly, not a problem.

        2. el_oscuro

          "I can't recall the last time my bank called me, it has been at least a decade."

          I get calls all the time - one from "Dept of Justice" with the guy being very threatening, saying I could be prosecuted if I didn't pay the fine. Official looking caller ID and all, scary as shit. I looked up the number and it was a Majic Jack number from San Bernadino. Somehow I didn't think it was the real DOJ.

          The government doesn't call you anyway, they send mail. And if it is really nasty, the summons is delivered by the sheriff. But scammers use mail too. I once got something official from the "Department of Commerce" with a return address of 2000 Pennsylvania Ave, Washington DC NW, about 4 blocks from the White House. So I looked it up and it was a shopping center.

      2. macjules Silver badge

        Yes, it still perplexes me that BT would want to outsource their IT security to Nigeria. I told the nice gentleman when he called to tell me that unfortunately BT had given my computer a virus that I was sure that I had only just spoken to one of his colleagues last week from somewhere in India. He even said the same thing, that there was an error with credit card details I had given him to 'fix' my computer and so he would have to send me a virus help file in order to resolve the problem. For some odd reason his help file was blocked by my anti-virus scanner: I wonder why.

    5. salamamba too

      Security questions

      my bank got this message when I kept refusing to give them information on the phone to identify myself, as I had no evidence who they were. As a result, I get virtually no sales calls, and we came to an arrangement re identification.

      As regards security questions, you don't use your mum's real maiden name do you? I never have.

      1. Franco Silver badge

        Re: Security questions

        <snip> when I kept refusing to give them information on the phone to identify myself</snip>

        I once applied for a job, and when the recruitment company called me they asked me to verify my postcode to prove my identity. I pointed out to them that the postcode they had for me came from the same CV that had my phone number, so if I wasn't who I claimed to be I would already have falsified the data they had. This put them in to stack overflow, repeat question until answered no matter how stupid the question is, at which point I decided that if they were this bad about just speaking to me the job description was bound to be gibberish too and gave up.

      2. yoganmahew

        Re: Security questions

        @salamamba too

        "As regards security questions, you don't use your mum's real maiden name do you? I never have."

        I did, but it got hacked, so I've had to dump her and get another mum. Right pain that was. The dog was really put out too. And it was such a hard letter to write to my favourite teacher to tell him I'd chosen another. I'm still working out how to replace my fingerprints... I think I can get new ones each month, at least until they rot.

        1. el_oscuro
          Alert

          Re: Security questions

          Those "security questions" aren't. They are really just passwords that are usually stored in the database in clear text. Hackers don't look your mums name from public records, as they probably don't know who you actually are. They just get SQLi on some crappy website and dump the database. Then they know what answers you use for those questions and can pwn you on other websites.

          For anything important,, I use keepassx to manage my passwords and have a script to generate answers for those questions from /dev/random. I store the answers in keepass along with the questions so I never have to remember anything.

          1. Ken Moorhouse Silver badge

            Re: script to generate answers

            Mr Oscuro, are you sure your mother's maiden name is xty6t3rm#8yt ?

        2. CrazyOldCatMan Silver badge

          Re: Security questions

          > I'm still working out how to replace my fingerprints...

          Become a tree-surgeon or a bricklayer. You'll soon have no fingerprints left..

      3. tony2heads

        Re: Security questions about mother's name

        I couldn't because it is Irish and starts with an " O' "

        Their software could not accept " ' " as it wanted letters only.

        I suspect it would have the same problem in South Africa where some names include " ! " for the click sounds.

      4. Anonymous Coward
        Anonymous Coward

        Re: mum's real maiden name

        "As regards security questions, you don't use your mum's real maiden name do you?"

        I wonder how people with the same current surname as their mother's maiden name get on. Are they allowed to use the same name twice? Or are they viewed by security personnel as "awkward bastards"?

        1. Anonymous Coward
          Anonymous Coward

          Re: mum's real maiden name

          "I wonder how people with the same current surname as their mother's maiden name get on. Are they allowed to use the same name twice? Or are they viewed by security personnel as "awkward bastards"?"

          I once knew someone who had recently got a dog and used his mums maiden name as it's name.

          He signed up for online banking:

          - Memorable name:

          $maidendog

          - Pet's name:

          $maidendog

          - Mother's maiden name:

          $maidendog

  5. Gene Cash Silver badge

    Meh, don't use your real info

    So I just don't use my real info in those "What is your spouse's name?" type of questions.

    And yes, once I got asked how I had a "spouse's name" since I wasn't married, according to the rest of their info.

    1. lglethal Silver badge
      Trollface

      Re: Meh, don't use your real info

      As my answer to those questions tend to revolve around some variant of "f$ck off!", "get nicked" or "pi$$ off". People probably think I really didn't like getting given a dog as a kid...

  6. Anonymous South African Coward Silver badge

    Meh to all of this tomfoolery with security tokens, 2FA, and all that shizzly stuff.

    What'll they ask for next? Biometric ID of your anus?

    1. chivo243 Silver badge

      @Anonymous South African Coward

      Colon scan... is the correct terminology ;-}

      1. Ben1892

        I knew I'd been doing it wrong - I thought it said RECTANAL scan, no wonder I've been getting funny looks trying to get onto the secure floor at work

        1. macjules Silver badge

          +1 for the belly laugh I've been needing all week.

    2. Sorry that handle is already taken. Silver badge

      Biometric ID of your anus?

      Look no further.

  7. Warm Braw Silver badge

    Please keep your biometric nettles away from my arse

    One of the concepts that seems to be missing from "security" considerations of online systems is that of proportionality. That means, of course, that the security of access should be proportionate to the risk of unauthorised access - but conversely, that high-risk systems probably shouldn't depend entirely on online credentials because high-stakes attackers are inevitable and requiring them to post a letter or turn up in person is one of the most effective ways of thwarting brute-force or large-scale attacks.

    Online access to my credit card account used to be fairly low risk, because all anyone could usefully do if they gained access was to pay my bill for me. Now any unauthorised user can change my registered email address, home address, access my credit score and do a whole bunch of other things that might threaten my financial security.

    The solution to his is not to add biometric complexity so that I can continue to use the one low-risk function I've ever needed (to pay my bills) but to allow me to remove access to the higher-risk functions I don't want.

    1. lglethal Silver badge
      Go

      Re: Please keep your biometric nettles away from my arse

      But then the banks would have to actually keep branches open rather then shutting them down and pocketing the profit of outsourcing everything. We cant allow that sort of thinking to happen!

      1. Warm Braw Silver badge

        Re: Please keep your biometric nettles away from my arse

        the banks would have to actually keep branches open

        Not that this wouldn't be a good idea, but banks do (for the moment) have large networks of ATMs. It wouldn't be impossible to arrange that if you want to do something potentially risky - like change your address or transfer a large amount of money - that you have to visit a nominated machine and present your bank card. Might help Mr. D. keep off those lost kilograms, too.

        1. cambsukguy

          Re: Please keep your biometric nettles away from my arse

          Wouldn't it be nice if you could present your bank card to your PC instead and use the PIN to verify it is you.

          Or even wave the wireless bank card at your PC or phone, it would remove a huge amount of issues in one fell swoop.

          It could be additional after all because it is so easy for the owner to do, and so hard for others.

          1. Gordon861

            Re: Please keep your biometric nettles away from my arse

            Barclays give you a little keypad like a small calc that you can plug your card into.

            When you login online you need to enter the last four digits of the card.

            Put the card into the keypad, and enter you pin.

            That then gives you an eight digit code to type on the webpage.

            It does the same whenever you want to add new payments or standing orders etc.

            Seems about as secure as you can get it so far.

            1. Doctor Syntax Silver badge

              Re: Please keep your biometric nettles away from my arse

              "Barclays give you a little keypad like a small calc that you can plug your card into."

              So does my bank. I tried to use it once. It didn't work.

              1. FredBloggs61

                Re: Please keep your biometric nettles away from my arse

                Nat-West gave me one of these card reader/pin generator things, when I opened an account with them about 8 years ago.

                Four years later when I had to get around to adding a new payee, I had to ask them to send another one out as the last one probably got chucked out as a useless remote control.

                Two years later again, and the dog had managed to chew this one up, so "please send a new one" again.

                On my fourth now and can't find that...

            2. CrazyOldCatMan Silver badge

              Re: Please keep your biometric nettles away from my arse

              >Barclays give you a little keypad like a small calc that you can plug your card into.

              Nationwide do likewise.

          2. Mookster

            Re: Please keep your biometric nettles away from my arse

            There are cap-emv readers that let you put your credit card in your pc..

        2. Mage Silver badge

          Re: visit a nominated machine

          Sounds like a good idea.

          Except it's probably really easy to make a fake ATM, that has "run out of funds" and put a burner SIM and mobile into it connecting to a burner IP address to capture PINs and other infos.

        3. rd232

          Re: Please keep your biometric nettles away from my arse

          "It wouldn't be impossible to arrange that if you want to do something potentially risky - like change your address or transfer a large amount of money - that you have to visit a nominated machine and present your bank card. "

          This - and a lot of other options besides. For high-risk actions, there should be at least the *option* of a higher security requirement - eg I'd be perfectly happy knowing that my bank address can only be changed face to face with a member of staff in a branch on presentation of photo ID, or that to send over £1k to a new recipient requires a trip to an ATM to confirm, where for others that's too much hassle or otherwise impractical. So set minimum standards, but allow customers to choose higher ones to protect themselves if they wish.

  8. Anonymous Coward
    Anonymous Coward

    The truth? You can't handle the thruth!

    No reason why my pet can't be called "Dav1d Pigf*ckr", and my place of birth is "Dark Side of the M00n"

  9. Dr_N Silver badge

    Arsewords

    Those really would be best suited for logging on.

  10. Robert Carnegie Silver badge

    I don't think that ahwquobehjdltfshohctyowa is guessable.

    It is selected letters from words in a newspaper story.

    Admittedly I'm not going to memorise it either. Not with 20 other passwords I also need to change once a month.

    As for 2FA, a device could be stolen... and then I will report it stolen, and I will obtain a new one.

  11. Pete 2

    challenge / response

    > As for my pet, IT chiefs would rather I give it a name comprised of upper- and lower-case letters, three numbers and at least one special character

    No, they would rather that you didn't actually tell them your pet's name at all.

    The questions asked can take any answer. It doesn't have to be related to the subject of the question (except where date or numeric fields are all that's available).

    So a valid answer to the question: What was the name of your first teacher? could easily be "pork sausages". Since the computer asking the question has no way to know if you are telling the truth - and it probably doesn't care that 90% of respondents were born on January 1.

    The only thing you then need is to remember which answer you gave to which question. Which is why everyone writes them down, anyway.

    1. lglethal Silver badge
      Joke

      Re: challenge / response

      Hmmm is there a reason why the first nonsense answer that came to your mind when referring to your "first teacher" was "pork sausages"?

      Perhaps there's something you'd like to discuss with the class? ;)

      *cough* Freudian Slip *cough*

    2. VinceH Silver badge

      Re: challenge / response

      "No, they would rather that you didn't actually tell them your pet's name at all"

      I suspect that was the point Alistair was making: That personal information security questions should be treated as additional passwords, rather than answered with the actual information the question asks for.

      1. Anonymous Coward
        Anonymous Coward

        Re: challenge / response

        That has come as a great relief, due to a poor upbringing (the butler was an ex-con) we didn't have any pets, well none that we could name. The exceptionally large Wolfhound/Alsation cross was "come here you great tosser". We didn't get much mail either as Tosser (I used this name in secret when calling though the razor wire) had a tendency to deter the postmen by howling at the sight of a red van. Anyhow I now feel free to to use an imaginary pet name, Fluffy sounds nice....

  12. LDS Silver badge

    FBI update

    Are those the kg lost in a federal prison after Dabbs has been hacked and then impersonated to commit a crime?

  13. Dr_N Silver badge

    As with car "vanity" plates...

    Maybe it'd be easier to keep changing your name by deed poll to your password?

    All the best,

    aGRHxs$89!

  14. Tom Paine Silver badge
    Pint

    There's a significant difference between telling friends and family that it's your birthday on Saturday and they're all invited down for a slap-up meal with all the trimmings, followed by an epic piss-up, and telling Facebook -- especially if you don't have sane privacy settings on your account and allow anyone in the world to view the data. You know F&F in an, ahem, F2F context. Sure, it's possible one of them might turn out to dabble in financial fraud via ID theft on the weekend, but if they do, they're very much more likely to pick on complete strangers. (Well, unless they're advanced sociopaths, granted.)

    That said I do find it rather amusing to see people with fully open Fb profiles getting dozens of birthday greetings from people they only know online...

    Just sayin'.

    #beer because it's Friday \o/

    1. harmjschoonhoven

      @ Tom Paine

      I do find it rather amusing to see people with fully open Fb profiles getting dozens of birthday greetings from people they only know online...

      Worse has happened. On 21 september 2012 a birthday party in Haren published on FB got out of hand. The police made 108 arrests. The damage was 843000 Euros. The mayor of Haren resigned on march 12 2013 after publication of the official report on the riots.

  15. mourner

    The few times I've come across it, I've rather liked the set up whereby you as the user specify both the 'security' question and the answer as opposed to being forced to choose from the exact same list of questions you see on every website.

    Seems far more sensible to me.

    1. 's water music Silver badge

      choosing security questions

      This

      I don't have a favourite sports team or colour, and worst of all naming no names (to spare the blushes of First Direct) it doesn't make sense to disallow previously given answers to to non-variable factual questions when setting up security again (notwithstanding using junk data for these of course)

  16. peasant

    congratulations mr dabbs

    http://www.horsetalk.co.nz/2014/07/19/super-cute-donkey-foal-weighs-14kg/

  17. Ben Boyle

    Puts the finger

    IN the problem... FTFY

  18. TomPhan

    Arseword?

    Shirley it's Assword.

  19. Nattrash
    Childcatcher

    So am I now an old fart officially when I see the benefits (and charm) of:

    ... The sun was shining happily on this nippy day. I strolled into the lobby of the bank, and was greeted by Mr. Johnson, who smiled at me from behind his counter. "Good morning Ms. Page", he said, adjusting his specs, "And what can we do for you today?"

    ...

  20. Chris Evans
    FAIL

    Battery Stapler Horse Fail

    Some people seem to think that the multiple words option e.g. "Battery stapler horse" is the way to go. But I saw the XKCD cartoon about this some years ago and tried to memorise it. I've probably seen it two or three times a year since (More often than I visit some websites I have to log into) I've never remembered it yet! If on all the websites I used I had a different three or four word password only a memory champion would be able to remember them. n.b. I note both Alistair and I got it wrong anyway! Its correctbatteryhorsestaple.

    Now did I capitalise any letters... what about websites that insist on: numbers, varied case, a low maximum length....

    Part of the answer is for websites to not insist on complex passwords unless it is appropriate. I recommend people to use as complicated a system as they can do reliably. I wish I knew the full answer.

    1. Doctor Syntax Silver badge

      Re: Battery Stapler Horse Fail

      "Part of the answer is for websites to not insist on complex passwords unless it is appropriate."

      The website insists on complex passwords to show that it was taking things seriously if challenged. The fact that everyone has to write down their passwords is Someone Else's Problem. Not theirs.

    2. Squander Two

      Re: Battery Stapler Horse Fail

      The point of the xkcd cartoon isn't so much that those four words are easily remembered as that any four random words are far easier to remember than the crap we're told to use for security reason yet also more difficult to crack -- because adding extra length to your password (generally) adds way more security than increasing the range of possible characters. You can add much more security by doing things like skipping or repeating the Nth letter of each word, or using joke spellings, so that none of them are in a dictionary. The initial letters of a memorable sentence make for an excellent password too: dead easy to remember but looks like a genuinely random string. The main problem with either of those systems is that most sysadmins refuse to give up on the whole "number, capital letters, punctuation mark" thing, so you have to use them regardless of how useful they are.

      Instead of a password, I use a simple password-generation rule. Something along the lines of

      [last three letters of company name] & [initials of memorable sentence] & [number of letters in URL minus 4] & [misspelt disctionary word]

      gives excellent results: piece of piss to remember, the same rule for every site you use, yet a different actual password for every site.

  21. DaddyHoggy

    Several sites I've used have allowed me to create my own security questions and my own answers - although on two occasions I've had to make use of these (password reset on both occasions) the systems then told me my answer was wrong - so I had to wait until I could ring a real human the next day and go through the system verbally - and it then worked...

  22. Anonymous Coward
    Anonymous Coward

    Security

    I purchased something online and arranged for it to be delivered to an address I was going to be visiting, the company refused to process my order unless I emailed them a copy of my passport and a bill showing I lived at the delivery address, apparently the fact my IP address was in a different country from the country I wanted the delivery to was the trigger. I pointed out that email wasn't a secure method for sending a copy of my passport and I didn't have a bill for the address as I was just visiting it, ended up just cancelling the order

  23. Jonathan Richards 1
    Facepalm

    Oh, the irony

    The point of the famous xkcd cartoon 936 was that the four words "Correct horse battery staple" would be easily remembered as a password.

    Alistair wrote:

    > correct battery horse staple

    PASSWORD INCORRECT REDO FROM START

  24. Steve D
    Joke

    Lucy Porter's approach

    Lucy Porter had this in her set about 9 years ago:

    "I went to the bank and they told me I needed a security question for telephone banking. I asked if there was a list to choose from and they said no, I could pick any question. So now it's great, whenever I call the bank the person on the other end has to ask me "You're not going out dressed like that are you?" and I reply "You can't tell me what to do, you're not my real dad!""

    More security Q & A fun suggestions can be found here: https://www.schneier.com/blog/archives/2010/04/fun_with_secret.html

  25. Mike 137 Bronze badge

    "While biometrics are just another kind of shared secret,..."

    "While biometrics are just another kind of shared secret,..."

    Oh no they're not. Any biometric can only serve as only an identifier, not an authenticator. An identifier is permitted to be public (e.g. your name); an authenticator must be private to the legitimate parties (a shared secret).

    Two fundamental and essential characteristics of an authenticator are that it can be changed and revoked. As a biometric can not be changed or revoked, and can in many cases not be private (e.g. fingerprints and DNA are left behind everywhere you go) it cannot legitimately be used as an authenticator.

    It would be so nice if this basic principle would finally sink in...

  26. tr1ck5t3r
    Trollface

    Social media and contracting for foreign Govt services has its uses after all, doesnt it NSA?

  27. Grunchy

    My dog's name is Rascal^burGER491

  28. 404 Silver badge
    Stop

    That picture is creeping me out...

    ... and it keeps showing up in the sidebar...

    Please make it stop.

    ;)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019