My bank site is making it so I have to change my password every 90 days, and the password has to include at least one number and at least one uppercase character.
I can’t remember all these new passwords. So I have to write them down.
How in the bloody hell is that more secure than me just using my old password?
It’s not. I think that these complicated schemes are theoretically more secure, but they force us to do non-secure things to deal with password overload. Many people resort to date-related PWs to cope with the ones you have to change every X days.
It makes it even more secure when you have to write down the answers to your “challenge questions” as well.
You don’t have to write them down though, you can put them into an Excel file and then password protect that. I had to do that for work, I have a number of different passwords, for no real reason. We have to change some every couple of weeks, another after so many logins, and another every six months. We can’t use anything that’s been used in the last 50 times, has to have two letters, two numbers, two symbols. It got to be real frustrating real quick.
The funny thing is that the two worst passwords are my email, which contains nothing, and my time sheet, yes please do fill out my time sheet for me. The email is the worst really, it expires after eight weeks, but after four weeks it says, your password will expire on 12/25/07, do you want to change now? Then it keeps asking you.
Apparently your bank has been taking lessons from my bank.
Not only do I have to change my password regularly, I also have to use no less than FIVE passwords/PINs with this bank. I have one for phone banking, one for the ABM, one for my Mastercard account, one for my regular savings/chequing accounts, and one for my rewards program. Not surprisingly, I’ve written all of these down aside from the ABM code.
And as if that wasn’t enough, they decided last week that my bank card number is “not secure enough” (which I believe is bank-speak for “too easy for you to figure out”). So now I need a USERNAME to sign in.
And yes, if you’re wondering, my username also must be at least 6 characters long, and must contain at least one letter and one number.
Sigh. That piece of paper is getting too damn small for all this.
Not to be overly argumentative, but isn’t that writing them down? It’s writing them down in a password-protected way, but it’s still writing them down.
As for challenge questions, GAH! I don’t have answers for most of them. “What was your first car?” Lessee, would I remember to think it was the first car I bought myself, or would I think of the first car that was “mine” that my parents actually owned? Would it be the one I took with me to college and paid the bills on though it was still in their names? Would it be the one that my husband actually owned but that I drove exclusively after we were married? Grr.
It’s always a challenge to find one of the questions to which there is an unambiguous answer, to improve my chances of answering correctly should I ever need to.
To answer the OP – it’s not.
But it is more “secure” – CYA-wise – for the bank. If they let you keep your password for an extended length of time and it gets hacked, they can be held responsible for not making sure you didn’t change it periodically.
If you lose the piece of paper, well, then it was clearly your fault.
What, me cynical?
I guess it is. I was thinking of actually writing it down on a piece of paper and having it by the computer. My password file is hidden on a flash drive and named something really dumb.
I still don’t see what one can do with my bank password. I don’t think you can get money out via the internet, the worst you can do is pay my bills. Even with my credit card you can’t buy anything, they don’t have the credit card number up, they don’t have my bank account numbers up. Can someone really do anything with my stuff except pay bills?
Well, as someone who has dabbled in IT security…there are levels of bad when writing down a password.
Writing your ATM pin on the back of the card - BAD. Stupid bad. Putting your ATM pin as the last four digits of the phone number for “Karen Banks” in your address book - better. Having your ATM code be the housenumber of the house you lived in when you were seven, or the year the Magna Carta was signed, good. Writing your password down on a post it note attached to your monitor, bad. Under your keyboard, well…bad, but at least its out of site. In a desk drawer locked up - better. In a password protected Excel spreadsheet, better. My Blackberry has a password manager (I don’t use it, but it has one) - that is locked with a password.
Best yet is being able to remember them all. A lot of people use numeric schemes and familiar combinations. Worked with a woman who rotated cocktails - subbing 1s 0s 4s and 3s for I O A and E. So password was M4rt1n1
And I hate challenge questions as well - my mother has two maiden names. My birthplace is St. Paul (did I type that with a period when I created the challenge question or not?) Childhood pet - which one? On the plus side, they have gotten BETTER - they don’t show quite the extreme cultural bias (everyone has a mother who has a maiden name - that’s your one choice - what, you don’t know your birthmother and were raised by a gay couple - well, too bad) that they used to.
It’s more secure because the things that make your password harder to remember also make it harder to guess randomly, or by knowing your pet’s name, or what have you. As for writing it down on a small piece of paper - to borrow a point from Bruce Schneier, the problem of safely storing small, valuable pieces of paper is not a novel one. You’ve got cash in your wallet, right?
Create a payee that is themselves and pay themselves - that one is stupidly easy. Bank phishing is about to get really bad with DNS hacks
I’ll agree that’s the theory (although I also agree that the motivation for this is mainly banks covering their collective asses), but the theory ignores human frailty and human nature, not to mention the MASSIVE increase in password requirement over the last few years.
Surely the best way to deal with it is to use numbers as a suffix, so you have MyPA55w0rd01, MyPA55w0rd02 and so on… then if you do need to write anything down, you only need to make a note of the number?
I don’t know where I got it from but you can really have fun with these security challenge questions.
Somebody had questions like these :
Question 1. What are you wearing?
Answer : None of your business
Question 2. Why are you giving me such a hard time?
Answer : Because I can
Question 3. Is this making you feel uncomfortable?
Answer : Not at all. You?
I use the same four passwords (depending on individual password length requirements, etc.) everywhere I need one. For the places that require a new one on a regular basis, I increment the number at the end each time. Unfortunately the programmers are starting to check for that, so I need to get tricky about incrementing different characters. :mad:
And yes, that’s also not very secure. It means that I don’t need to write anything down, though I sometimes have to try all four possible passwords.
Of course, it’s all fun and games until you actually need to get into your account with those. 
Yes, he did have to write them down because he would definitely forget the answers.
Last night a national site asked me to make new challenge questions. The ones to choose from were horrid and ambiguous. I chose the only two I might have a chance of guessing correctly, and when I typed the answer the letters were asterisked out so I could not tell if I’d spelled correctly. When I hit submit, the next page showed me what I’d typed and informed me that a copy had been emailed to me, leaving me wonder what the point of the asterisks were.
That reminds me of a time when I had need to keep some phone numbers secret, so I wrote them into bogus partial differential equations in the margins of my undergrad PDE book.
The great SallieMae locked me out of my account with their clever challenge questions:
What is your grandmothers maiden name?
Now, SallieMae, in the business of financing education, is either too dumb or too cheap to spring for an apostrophe, but I will (with difficulty) let that slide. But sure they know that every human being has, minimum, two biological grandmothers?
When I called to reset the account, the helpful tech suggested I ignore the literal sense of the challenge questions and just give the same answer to all of them:
What is you greatest fear? Rutabagas [not my real answer].
What was your first pet? Rutabagas.
Where were you born? Rutabagas.
I thought this was a clever way of getting around the system, as I agree with Noone Special.