Just read Steve Wood's excellent article about client security, particularly in relation to password use in the alpha blog.
First, as an aside to show the lack of thought about security from many organisations, I bet I am not the only one who often gets phone calls from financial institutions who, although genuine, want to take me "through security". Besides their number normally being suppressed, I have no idea who they are, so I normally say this and ask them to tell me a recent transaction or something. Often they won't do this until I've passed security, and I won't give them personal details until they prove who they are. Stalemate.
Anyway, Steve wrote about on-line bank or utility websites for guidance on good practice. One of my banks has changed their procedures to what I think is a lovely piece of work, which in my mind greatly increased security and also reduces the chances of phishing. When you start the log on procedure it asks for user name and unique on-line access code. The next bit is the new bit.
The system then reveals a graphics image that I have previously chosen from hundreds available, and also a Memorable Phrase (nothing to do with hints or password. Could be something like "Don't eat yellow snow"). The same thing is always revealed, thus you can be sure you are on the true site.
The next enhancement is that the system compares the IP address you are using to access the site. If it is one that is regularly used, then you are taken straight to the password screen where you input randomly selected digits from a minimum 8 character password. If it is not a IP address (say, office or home) then you are taken to an additional screen where you need to input specific answers to questions pre-selected when originally setting up the security details.
I think this bi-directional handshaking must be the way to go in the future.
First, as an aside to show the lack of thought about security from many organisations, I bet I am not the only one who often gets phone calls from financial institutions who, although genuine, want to take me "through security". Besides their number normally being suppressed, I have no idea who they are, so I normally say this and ask them to tell me a recent transaction or something. Often they won't do this until I've passed security, and I won't give them personal details until they prove who they are. Stalemate.
Anyway, Steve wrote about on-line bank or utility websites for guidance on good practice. One of my banks has changed their procedures to what I think is a lovely piece of work, which in my mind greatly increased security and also reduces the chances of phishing. When you start the log on procedure it asks for user name and unique on-line access code. The next bit is the new bit.
The system then reveals a graphics image that I have previously chosen from hundreds available, and also a Memorable Phrase (nothing to do with hints or password. Could be something like "Don't eat yellow snow"). The same thing is always revealed, thus you can be sure you are on the true site.
The next enhancement is that the system compares the IP address you are using to access the site. If it is one that is regularly used, then you are taken straight to the password screen where you input randomly selected digits from a minimum 8 character password. If it is not a IP address (say, office or home) then you are taken to an additional screen where you need to input specific answers to questions pre-selected when originally setting up the security details.
I think this bi-directional handshaking must be the way to go in the future.