A couple of months ago, I was unable to log in to one of my online bank accounts because I could not remember the password. They had a password recovery page, but it asked me a series of questions that I could not answer. I tried guessing at some of the answers, and eventually the system locked my account and required me to call a 1-800 number to explain myself.
I was told that I had, in fact, chosen the 5 questions and provided answers at some point in the dim past. You cannot compose your own questions, you have to chose 5 from a set of 25 or so. Here are the standard 5 questions that you get by default from TD Canada Trust:
- What is the first name of the best man at your wedding?
- Which sports team did you like most as a child?
- What is the first name of your oldest niece?
- What was your wedding colour?
- What is your oldest sibling’s nickname?
Note that if, like me, you have not had a wedding and are an only child, you cannot answer 1, 3, 4, or 5! And being a geeky child, I had no interest in any sports team. So, I asked the nice lady, how am I supposed to answer these questions? She gave me 2 solutions:
- Choose 5 of the 25 questions that you can answer.
- Make up “fake” answers – the system does not validate them in any way, nor does it prevent you from giving the same answer to each question.
I chose door number 2 and answered all 5 of the default questions with exactly the same words “resistance is useless!” (with apologies to Douglas Adams). Now I don’t even have to worry about what the question is, I just give my Vogon answer.This means that the rotating question screening is really only 1/5 as effective as it initially appears.
I started wondering about how to create a banking password that is reasonably secure, but possible for me to remember. And what about all the other passwords I have – how long will it be before I forget one of them? When I did a quick inventory, I found that I had over 75 username/password (un/pw) combinations for things like webmail, banking, online subscriptions, message boards, and so on. The initial temptation is to always use the same un/pw combination for all sites, but if your single un/pw is ever compromised, you are in for potentially big trouble.
I used to rely on my browser keeping the un/pws, but that doesn’t help me when I am travelling, and I have to keep syncing my laptop and desktop browsers. I tried creating a giant spreadsheet with everything listed on it – but it became a nightmare to maintain, and how do I keep prying eyes away from the spreadsheet? I finally settled on using a password manager, RoboForm. It is not free and it is Windows only, but it filled the bill for me in part because it can run from a USB key that I can carry with me to any machine. There are good freebies you may want to look at such as LastPass and KeePass. Mac-only folk should have a look at http://lifehacker.com/5042616/five-best-password-managers.
With a password manager, you only need to remember one password – it unlocks the rest which are otherwise encrypted. But if anyone finds out your master password, all of your passwords may be compromised – so make it strong.
What does “strong” mean?
Depending on which of the hundreds of conflicting articles you can find online, passwords should be “long”, they should be at least 8 characters long, they should be more than 14 characters long, they should not contain dictionary words, they should be easy to remember, they should be hard to guess, they should not contain any personal info (mobile phone number, for example), they should mix upper and lower case with numbers and punctuation, and you should change them every 30 days
The more-than-14-character rule is based on the fact that many Windows systems (which a large number of people use) use the “LM hash” to encrypt passwords less than 15 characters long. The LM hash breaks the password into two pieces which are much easier to crack. Many businesses now require users to use 15 or more characters for passwords.
How to make a good password pass phrase
To make long “passwords” easier (possible???) to remember, you can use a “pass phrase”. For example, let’s say you choose the phrase “we drink brandy”. It is 15 characters long (including the spaces), but it doesn’t have any of the case changes, numbers, and punctuation that all the articles recommend. It also uses a bunch of dictionary words.
You could make this much harder to guess. Let’s say you can speak another language, such as French. Then the pass phrase could be “we buvons brandy”. That makes it 16 characters, and less susceptible to a “dictionary attack”. Now add some capital letters, say only to the English, and change all of the spaces to asterisks to get “We*buvons*Brandy”. Having a lot of pass phrases like this would be a pain to type every time you wanted to go to a website, but if this is the pass phrase that opens your password manager, you only need to type it once per session. The password manager does the hard work after that.
How strong is your password?
Any bank or website expecting to receive your password needs to store an encrypted version of it. When you submit your password, the site applies the encryption to it to see if it matches the stored version. If it does, you are in. If a bad guy gets a copy of the website’s encrypted version of your password, they can use various attacks against it. For this example, let’s say your password was MD5 hashed (fairly common for low security sites). On my modestly powered (Intel Core 2 Quad Q9400) desktop PC, Cain and Able running a brute force attack can crack a 6-character password that uses only lower-case letters and numbers in 5 minutes or less. To crack the 16 character pass phrase we created above with upper- and lower-case letters, numbers, and punctuation on the same machine would take 5 quadrillion years (or about 300,000 times longer than the the universe has existed),
Juan Bocanegra argues quite convincingly that length beats complexity in his article
Most banks won’t let you use good passwords
As strange as that may sound, it does appear to be true. On March 28, 2010, I checked the password policies of several banks. Ideally, they should require you to use a password (or pass phrase) that is more than 14 characters long, prohibits obvious runs (12345678 …, qwertyui … etc.), keeps you from using single dictionary words, and (not essential, but helpful) has a mixture of letter cases with numbers and punctuation (or special characters such as asterisk).
- case-sensitive (good)
- minimum of 6 characters (too short)
- maximum of 12 characters (not quite 14)
- no special characters (why not?)
- 6-8 characters long (too short)
- use both letters and numbers (halfway there …)
- case insensitive (bad, reduces possible passwords by a huge degree)
- no special characters (why not?)
- must be exactly 6 characters in length (way too short)
- only letters and numbers, no special characters (bad)
- letters get collapsed to numbers on the phone dial for telebanking (this essentially reduces the password to a 6 digit number on the phone)
In their defense, BMO does use a 2 stage login, which very few others do. You enter your card number first and click GO and you are taken to a screen that shows you a picture and a phrase that you chose when you signed up. If the picture and phrase are correct you enter your password and click GO. This is an effective way of defeating fake login pages since the bad guys won’t know your picture and phrase.
- 8 or more characters (too short)
PayPal has an excellent set of recommendations when you choose or change a password:
We recommend that your password is not a word you can find in the dictionary, includes both capital and lower case letters, and contains at least one special character (1-9, !, *, _, etc.).
But then they completely fail to enforce any of the suggestions other than length. They let me change my password to “abcdefgh”.
- 6 to 12 characters (too short)
- allowed “123456” as an acceptable password (puhleeze!)
I was unable to safely conduct many tests because their security certificate expired while I was doing them:
www.txn.banking.pcfinancial.ca uses an invalid security certificate.
The certificate expired on 2010-03-28 7:59 PM.
TD Canada Trust
- 5 to 8 characters (too short)
- no special characters (I see a pattern in the bank rules!)
They do not recommend all letter or all number passwords, but I don’t know if they will refuse them.
So what should you do?
Here are my suggestions:
- Check the password policies at your bank and (if my experience is any guide) ask them why they allow such weak password practices or, in some cases, force you to use weak passwords.
- Get a password manager and get it to generate random passwords to use with the banks. Even if it is just a random mix of letters and numbers, it has to be better than “abcdefgh”.
- Create a strong master password for your password manager like the “We*buvons*Brandy” example above.
- Where you can, use long pass phrases (length beats complexity!)
- Print a list of your accounts and passwords (password management software can do this for you) and stick it in your safety deposit box. Your heirs and executor will be grateful!
- If you think your favourite password is a good one, put it in a Google search and see how many hits you get!
Further reading and other resources
- https://www.microsoft.com/protect/fraud/passwords/checker.aspx (an excellent and safe way to check your passwords for relative strength)