(originally posted here∞)

I find it hard to believe anyone who reads the Ars front page would put up with that :eek:

When I signed up for my first internet banking website, it didn't support punctuation characters in their passwords until I bitched at them. That was a small, family bank in Texas <b>seven years ago</b>. Since then, I can't remember the last time a financial website was the limiting factor in implementing a sane password strategy. Even my Duke account (which had some shockingly backwards aspects considering it was the 21st century during most of my enrollment) required strong passwords + smartcards for activities far less important than banking (e.g. network printing).

How can a company that markets itself primarily on its internet savviness be so ignorant?

That doesn't make it a password. In a previous infosec post∞ (which I do intend∞ to complete) I listed some properties of passwords. (Don't take them as an official definition since I've never read a proper text on the subject, but I'm sure if I picked up the Schneier books et al. that everyone talks about then my guidelines would be even more stringent than 7 items that I happened to consider "common sense" before I fell asleep.)

I don't expect ING to bat 7/7, since (1) they are not in control of a couple of those factors (2) there are some mitigating factors. Namely, (a) the hard link to my checking account and nowhere else (b) a password lockout policy, if they have one (c) the silly zip code / SSN / etc. addition. However, some of their policy's mistakes are worse than others: their customer numbers appear to be assigned in sequential order, which is a huge liability; so is the inability to change it, if that's the case as I suspect. Furthermore, I'm not convinced of any of a-c's validity yet.

(a) -- I assume they will not change the checking link to another bank account unless you verify all 3 of the "security" questions.* But I haven't tried to social-engineer this yet, so it's unproven.
(b) -- the whole time I was trying my strong password in disbelief before realizing they wanted my 4-digit PIN, I was never locked out. That doesn't bode well. Anyone know what their lockout policy is?
(c) -- I don't consider questions of this type to have anything to do with information security whatsoever. That's for another thread, but I can't possibly be the only geek to recognize this.

*I noted that they were lacking in questions with subjective answers. For example, asking "what's your favorite color?" is a decent security question because I can make up something remotely passwordish like "wtfbbqR4D". "What was your first elementary school" is a terrible question because most people will use a factual answer (i.e. one that can be obtained through completely legal means by a complete stranger), while we geeks will be forced to insert a random string that's harder to remember than made-up colors.

Bottom line, I don't think my personal security expectations are unreasonable. Hell, in the vast majority of areas, I'm in the complete opposite "omg information wants to be free" philosophical camp. I change my passwords fewer than once per year on average. I rarely feel the need to encrypt anything <i>except</i> those passwords. If despite my generally laid-back nature I'm the only person willing to demand some tough answers from the guys who hold power over my life savings, then so be it.

---

Back to InformationShouldBeFree