passwords

I went to log on to my Group RRSP provider’s website today Thanks to a misguided policy that HR introduced this year, my January RRSP contributions ended up in a non-registered plan, and I wanted to fix it. It turned out that I can fix this particular problem on the web, but that’s beside the point.

When I logged in, I was informed that my password had expired, and must be changed. It’s been 18 months since I logged in (yes, I check my quarterly statements, but I’m happy with the results; no changes required). I dutifully filled in the boxes, only to be faced with password strength requirements. Now, the whole point of these things is to prevent high-speed, dictionary-based password guessing attacks. You can’t launch a high-speed guessing attack against this website because it’s really slow, and after a certain number of failures, your account is locked out. And we have the research to prove that these kinds of passwords are less secure, because people cannot remember them and are forced to write them down. But a bunch of security consultants are getting paid to write password policies, and they’re an insurance company so care greatly about liability, so there you go.

Anyway, for as yet unknown reasons, I managed to fumble the password change, so I couldn’t get back into my account. So then I trundled off to the password reset page. And it occured to me:

* My password expires regularly. The problem is, I don’t login regularly (who moves RRSP funds around that often, anyway?).
* Password strength rules are enforced (mixed-case, numbers or symbols, minimum length, etc.)

And yet, the password reset page does none of this, and doesn’t have any other security checks! At least they used to make me phone Ireland to change my password. Now, I type in the answer to my challenge question, my date of birth, and instantly a new password is printed on the screen. The answer to my challenge question doesn’t have to be mixed case or have numbers, and never changes! They don’t even take the minor step of using e-mail to send my either my new password or a temporary, expires soon password reset URL. Granted, this is a minor security enhancement, but it does keep the amateurs out.

Does anyone else see a false sense of security here?

The irony is that I spent the rest of today fighting with our own password reset implementation :-).

Bill Gates has promised that the password will be obsolete in 2007; I’m beginning to hope he’s right…

posted at 9:20 pm on Thursday, February 16, 2006 in Personal, Security | Comments (3)

3 Comments

  1. Jeff K says:

    Yeah, the false sense of security is that you don’t need to watch your RRSP. I trade in it almost every day. I locked in $10k of gains on Valentines in fact. I also unloaded Petro Canada for a 2x gain. I think I’ll be busy for at least 2 weeks moving stuff around for this year’s contributions.

    Most Canadians don’t realize the foreign contribution limit is gone and even more don’t care, even though their resource mutuals / stocks are sky-high and the dollar is sky high and it’s time to get out there and pillage the foreign markets. Aye matey! I made a few hundred in just a couple of a days on a couple of Taiwanese ADRs this week (still holding), and I’m getting excited about raping the Japanese market in a little while, down 6% or so after a rapid rise from the depths in the last 2 months. The Japanese finiancial sector is not good, and for example, Toyota is already sky high, but there’s got to be some curvascious stock just waiting for me.

    Disclaimers: It’s probably better to earn capital gains outside an RRSP, I’m no adviser, I just think trading is better than sex, and since its all in an RRSP, I can’t even pay for, um… things I might want, with the money.

  2. Jeff K says:

    Er, that was “curvaceous”.

  3. Jeff K says:

    If you do trade foreign ADRs or stocks on the NYSE inside an RRSP, since the rules don’t allow you to have a US$ SDRRSP, you can direct the proceeds of a sale straight into a US$ money market fund and bypass the forex spread.

    The best is to trade in-trust-for a child in a US-denominated account, then the tax is lower, but I imagine most folks’ liquid capital is in RRSPs. RESP rules are even worse — I hate ’em.

    I laugh everytime I see that Scotia Bank ad during the Olympics where some dumbass can’t figure out more than one mutual fund. ..then I cry when I hear how many people lost money 2001->2003 in mutual funds, bailed, and lost out on the 2003->2006 escalator-ride when they went back up. Scary stuff.

    Disclaimer: I know nothing and give no advice. What was one Toronto paper’s marketing slogan… hm, “They don’t read us for the financial pages.”

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.