My Bank is a Security Vulnerability
The big catastrophe in the technosphere this week was the leak of 6.5 million LinkedIn password hashes. And Francois Pesce did an excellent summary of some of the things we should learn from this–at least from the perspective of security. The main idea is that even with relatively old hardware, passwords can be cracked extremely quickly. This applies to seemingly long and complex passwords too. Unfortunately, as users, the best thing we can do is pick long random passwords that don’t use real words, or hope for the best security with passphrases.
The Dark Ages — they haven’t ended yet
In the interest of not pissing off the people who hold all of my money, I’ll leave the name of my bank out of this. For those of you who follow me on Twitter, it won’t be hard for you to figure out who I’m talking about.
In the wake of all this LinkedIn madness, I decided it was that time of the year again to change all of my passwords. Obviously, I did this in order of primacy, starting at the top: my online banking account. If anyone ever gained access to that, they would not only be able to take my money, they would also be able to assume much of my identity. Like any good citizen of the internet, I was prepared to create a new passphrase that was long and made up of letters, numbers, and special characters. Remember: the goal is not to stop attackers from guessing your password; it’s to stop them from cracking your password. I was instantly stopped in my tracks. As it turns out, my bank doesn’t allow for passwords longer than 12 characters and no special characters are allowed.
Even before the LinkedIn leak, this is just bad password practice. An argument, albeit a poor argument, could be made against special characters (the fear of SQL injections comes to mind), but a maximum length of 12 is absurd. In fact, 12 characters should be the minimum length.
When in doubt, castle
So what could I do? I am, as it stands, at the mercy of my bank’s rules. Some, such as Jeff Atwood, would suggest that I change banks. But that really isn’t practical. So, I did the best thing I was willing to do: pick a 12-character random password. I’m still in the process of committing that to memory.
Moral of the story: go find out how your financial institutions are limiting your security. Pick the strongest passphrase possible. You may even be more compelled to change banks all together.