Have you ever had to enter CHARACTERS from your password to log in?  No? Me either. How would you feel if you entered your credit card number into your credit card provider’s website and instead of the usual password you were given this screen:
This is the second screen of my credit card provider’s authentication workflow. They are asking me to answer my “Personal Identification Question”, and asking me to type 3 random digits of my password instead of my entire password. The ramifications of this set of implementation choices just blows my mind.   Three strikes and you’re out, if you ask me:
1. Downright Terrible Personal Identification Questions
Anyone who reads my blog can probably figure out my favorite hobby, I even mention it on my about page. That question was one of five terrible security questions. Three of the questions are standard web access management fare. They aren’t great, but at least the 8-character minimum character limit keeps away answers like “golf”, “ford”, and “rex”.  The other two questions are in my mind criminal however. No financial institution should give a customer the option to use their mother or father’s name as a method of personal identification. I can’t believe anyone put those questions into production. The worst part: because of the list given, those two questions are the only ones that can be answered in a straightforward way while also fitting the complexity rules.
2. Removing The Guesswork from Password Hacking
Then there is the 8-character password. I could have sworn that one of the variables that make a password tough to brute force is the fact that the length is unknown. If you *know* you’re working with 8 characters, you can seriously narrow down your brute force parameters. Plus the only punctuation allowed is an underscore. Ouch.
3. One-way Hashes are *so* 2008
Since my bank is performing character matches on my password, there is no way that they are using a one-way hash algorythm to store my password.  If they were, they would be able to match the whole thing or nothing at all. Instead, they have chosen to be able to retrieve my password and play with it. I can only hope that it isn’t stored in clear text, but frankly anyone who asks “What is my mother’s name” as a security question can’t be too worried about security. Don’t get me wrong, HSBC is very worried about the appearance of security, in fact I was forced to positively acknowledge a big long page of statements about how firewalls are used, and how they require me to use 128-bit encryption. In spite off all the assurances, it seems to me that I’m at risk in a number of ways now, and all so that the password interface can be turned into a primitive and easily overcome turing test.
So, what am I missing? Is there some brilliant element to this setup that makes up for the sins that appear to have been committed? Something that will make me happy my credit is in the hands of this company? I hope so, because right now I feel like maybe it’s time to do my best ‘rat leaving a sinking ship’ impression.