passwords

I went to log on to my Group RRSP provider’s website today Thanks to a misguided policy that HR introduced this year, my January RRSP contributions ended up in a non-registered plan, and I wanted to fix it. It turned out that I can fix this particular problem on the web, but that’s beside the point.

When I logged in, I was informed that my password had expired, and must be changed. It’s been 18 months since I logged in (yes, I check my quarterly statements, but I’m happy with the results; no changes required). I dutifully filled in the boxes, only to be faced with password strength requirements. Now, the whole point of these things is to prevent high-speed, dictionary-based password guessing attacks. You can’t launch a high-speed guessing attack against this website because it’s really slow, and after a certain number of failures, your account is locked out. And we have the research to prove that these kinds of passwords are less secure, because people cannot remember them and are forced to write them down. But a bunch of security consultants are getting paid to write password policies, and they’re an insurance company so care greatly about liability, so there you go.

Anyway, for as yet unknown reasons, I managed to fumble the password change, so I couldn’t get back into my account. So then I trundled off to the password reset page. And it occured to me:

* My password expires regularly. The problem is, I don’t login regularly (who moves RRSP funds around that often, anyway?).
* Password strength rules are enforced (mixed-case, numbers or symbols, minimum length, etc.)

And yet, the password reset page does none of this, and doesn’t have any other security checks! At least they used to make me phone Ireland to change my password. Now, I type in the answer to my challenge question, my date of birth, and instantly a new password is printed on the screen. The answer to my challenge question doesn’t have to be mixed case or have numbers, and never changes! They don’t even take the minor step of using e-mail to send my either my new password or a temporary, expires soon password reset URL. Granted, this is a minor security enhancement, but it does keep the amateurs out.

Does anyone else see a false sense of security here?

The irony is that I spent the rest of today fighting with our own password reset implementation :-).

Bill Gates has promised that the password will be obsolete in 2007; I’m beginning to hope he’s right…

posted at 9:20 pm on Thursday, February 16, 2006 in Personal, Security | Comments (3)
  1. Jeff K says:

    Yeah, the false sense of security is that you don’t need to watch your RRSP. I trade in it almost every day. I locked in $10k of gains on Valentines in fact. I also unloaded Petro Canada for a 2x gain. I think I’ll be busy for at least 2 weeks moving stuff around for this year’s contributions.

    Most Canadians don’t realize the foreign contribution limit is gone and even more don’t care, even though their resource mutuals / stocks are sky-high and the dollar is sky high and it’s time to get out there and pillage the foreign markets. Aye matey! I made a few hundred in just a couple of a days on a couple of Taiwanese ADRs this week (still holding), and I’m getting excited about raping the Japanese market in a little while, down 6% or so after a rapid rise from the depths in the last 2 months. The Japanese finiancial sector is not good, and for example, Toyota is already sky high, but there’s got to be some curvascious stock just waiting for me.

    Disclaimers: It’s probably better to earn capital gains outside an RRSP, I’m no adviser, I just think trading is better than sex, and since its all in an RRSP, I can’t even pay for, um… things I might want, with the money.

  2. Jeff K says:

    Er, that was “curvaceous”.

  3. Jeff K says:

    If you do trade foreign ADRs or stocks on the NYSE inside an RRSP, since the rules don’t allow you to have a US$ SDRRSP, you can direct the proceeds of a sale straight into a US$ money market fund and bypass the forex spread.

    The best is to trade in-trust-for a child in a US-denominated account, then the tax is lower, but I imagine most folks’ liquid capital is in RRSPs. RESP rules are even worse — I hate ’em.

    I laugh everytime I see that Scotia Bank ad during the Olympics where some dumbass can’t figure out more than one mutual fund. ..then I cry when I hear how many people lost money 2001->2003 in mutual funds, bailed, and lost out on the 2003->2006 escalator-ride when they went back up. Scary stuff.

    Disclaimer: I know nothing and give no advice. What was one Toronto paper’s marketing slogan… hm, “They don’t read us for the financial pages.”

smtp block

It figures. After doing a bunch of work to move my backup mailserver to a “virtual server”:http://blog.cfrq.net/chk/archives/2006/01/29/power-and-virtualisation/, it worked fine for about 10 days, and then suddenly I was seeing no incoming email in the logs. This is a sign of a problem; even when the primary server is working, spammers are always connecting to the backup (in the hopes of getting past filters).

Much testing has determined that rogers is now blocking inbound SMTP on my portion of the network (something they’ve apparently been rolling out for over a year now). The best laid plans of mice and men, and all that…

posted at 11:32 am on Wednesday, February 15, 2006 in Personal, Security | Comments (4)
  1. Reid says:

    Is there a way to specify the port in an MX record? That would be sweet.

  2. Harald Koch says:

    Not yet, but if enough ISPs start blocking, I’m sure it’ll appear…

  3. Mark says:

    Shop around for ISPs. I left bell when they cut off inbound SMTP. Now I’m with Magma.ca. But, i1f you don’t want to switch ISPs then there are forwarding services like dyndns.org’s mailhop.

  4. Harald Koch says:

    My friend Reid is with igs.net; one of their selling features is “no bandwidth cap”, but I don’t usually get close to the 60Gb/month that rogers allows, so I’m not sure if that’s an actual feature for me or not. On the other hand, 3.0Mb + a static IP for $45/month isn’t too bad. dyndns.org wants $30/yr/domain for the service I want, which is almost the difference in price… hmm.

    It looks like Magma has the old istop bandwidth policy; limited during the day, unlimited between midnight and 7AM. Their prices are good, except for the static IP option. Unfortunately, the packages list doesn’t specify a monthly cap, and the FAQ only says “see the package list”. The only misread I can see is that the main packages don’t have a bandwidth cap?

wayne

What ever happened to innocent until proven guilty?

Or, as catspaw puts it, “Why do we love to hate”:http://insanecats.com/cgi-bin/single.py?month=feb06&msg=10?

posted at 7:19 pm on Friday, February 10, 2006 in Current Events, Links | Comments Off on wayne

hah!

bq. [stock options are] like my boyfriend’s idea of giving me a diamond. He puts a lump of coal in my hand, tells me to squeeze real tight and be PATIENT.

from Sand Hill Slave

posted at 9:54 am on Monday, February 06, 2006 in Humour, Links | Comments Off on hah!

trends

Apparently ex-starship captains go on to become the local authority in small-town horror flicks:

* “Kingdom of the Spiders”:http://www.imdb.com/title/tt0076271/
* “Slither”:http://www.imdb.com/title/tt0439815/

Have Patrick Stewart or Kate Mulgrew done insect/reptile horror flicks yet?

posted at 9:58 pm on Sunday, February 05, 2006 in Miscellaneous | Comments Off on trends

addiction

Flickr’s “interesting pictures page”:http://www.flickr.com/explore/interesting/7days/ is highly addictive…

posted at 10:34 pm on Friday, February 03, 2006 in Links | Comments Off on addiction

making the rounds

This year, both Groundhog Day and the State of the Union Address fall on the same day. As Air America Radio pointed out, “It is an ironic juxtaposition: one involves a meaningless ritual in which we look to a creature of little intelligence for prognostication, and the other involves a groundhog.”

(via “olletho”:http://olletho.livejournal.com/)

posted at 12:00 am on Thursday, February 02, 2006 in Humour | Comments (2)
  1. Brian says:

    Prognostication?

    Article II, Section 3. He (The President) shall from time to time give to the Congress information of the state of the union, and recommend to their consideration such measures as he shall judge necessary and expedient;

    It’s cute snark but the purpose of the SOTU address is hardly prognostication.

  2. Harald Koch says:

    Humour is seldom about 100% truth; I’m not too worried about it.

    As for the actual SOTU, well… see “my earlier comments”:http://blog.cfrq.net/chk/archives/2003/01/16/blogging-politics/