Thursday, February 21, 2008

Too Much Security: Is There Such a Thing?

I just logged onto my 401K account, in preparation for some big changes that I will be blogging about in the next few days (all good stuff). When I logged onto the site I was told that the log-in process will be changing and I was asked to pick a new user name and password. So far so good, but here comes the hassle. The user name must contain at least 6 characters at least one of which is a number and one of which is a letter. The password must contain 8 characters, using the same rules.

None of my standard passwords meet all of these criteria, and here you go. Another password I must now remember. Of course the upshot of all of these complicated passwords is less, not more security. For example, my company requires employees to create 8 character complicated passwords that change every three months. As a result, I can never remember my password (or don't trust myself to remember it) and so I wrote down the password and taped it to the wall of my office. Wouldn't it be more secure to let me select a password I could actually remember?

I don't know about you, but I have accounts with about 10 financial institutions (between 401k's, bank accounts, brokerage accounts, IRAs, 529s and so forth). I also have multiple user names and log-ins for other services. With each of them perpurting to becoming more secure and imposing tighter restrictions on password selection, the overall result is less security as I am forced to leave a paper record of log-ins that others can follow.

3 comments:

Traciatim said...

Our work is now doing this too. What you may want to do is use a CD or USB key and have an encrypted file with all your logins and passwords on it, that way you just have to remember 1 password and can copy and paste the rest. That solves two problems, you remembering and key loggers won't pick up your passwords.

Fancy that, actual better security instead of pseudo security like the airports banning liquids.

Little Miss Moneybags said...

I agree with this--I have an encrypted file that has all my usernames and passwords for every log in that I have because I just couldn't keep it straight!

I also have three regular passwords, all of which meet the fairly common 8-character, mix of letters and numbers and uppercase letters requirement. One is for things that wouldn't so much matter if someone got ahold of it--myspace, commenting on blogs, etc. One is for email accounts only. And one is for things of higher priority (paypal, financial institutions). Next time I go through and change it, I will do as someone suggested and have a base password with a twist at the end or beginning depending on the account. For example, my Fidelity account password might be passwordFI2 and my ING password might be passwordING2--so I only have to remember one password, but it's different for each account.

Anonymous said...

Traciatim, don't even get me started on the topic of airport security. That is my favorite topic to rant about (see my posts on the subject). I mean, that's the best example of a waste of tax payer dollars I can think of (and I can think of plenty).

Seriously: fake security and real hassle brought to you by the people that brought you the Iraq War. Now in theaters.