I went to log on to my Group RRSP provider’s website today Thanks to a misguided policy that HR introduced this year, my January RRSP contributions ended up in a non-registered plan, and I wanted to fix it. It turned out that I can fix this particular problem on the web, but that’s beside the point.
When I logged in, I was informed that my password had expired, and must be changed. It’s been 18 months since I logged in (yes, I check my quarterly statements, but I’m happy with the results; no changes required). I dutifully filled in the boxes, only to be faced with password strength requirements. Now, the whole point of these things is to prevent high-speed, dictionary-based password guessing attacks. You can’t launch a high-speed guessing attack against this website because it’s really slow, and after a certain number of failures, your account is locked out. And we have the research to prove that these kinds of passwords are less secure, because people cannot remember them and are forced to write them down. But a bunch of security consultants are getting paid to write password policies, and they’re an insurance company so care greatly about liability, so there you go.
Anyway, for as yet unknown reasons, I managed to fumble the password change, so I couldn’t get back into my account. So then I trundled off to the password reset page. And it occured to me:
- My password expires regularly. The problem is, I don’t login regularly (who moves RRSP funds around that often, anyway?).
- Password strength rules are enforced (mixed-case, numbers or symbols, minimum length, etc.)
And yet, the password reset page does none of this, and doesn’t have any other security checks! At least they used to make me phone Ireland to change my password. Now, I type in the answer to my challenge question, my date of birth, and instantly a new password is printed on the screen. The answer to my challenge question doesn’t have to be mixed case or have numbers, and never changes! They don’t even take the minor step of using e-mail to send my either my new password or a temporary, expires soon password reset URL. Granted, this is a minor security enhancement, but it does keep the amateurs out.
Does anyone else see a false sense of security here?
The irony is that I spent the rest of today fighting with our own password reset implementation :-).
Bill Gates has promised that the password will be obsolete in 2007; I’m beginning to hope he’s right…
Sorry, the comment form is closed at this time.