Passwords and Post-Its
Recently, my credit union changed its online banking system to one that requires an extra level of authentication when transferring money. Surely a good thing, I don’t want just anyone wasting my money, that’s my job.
Now if I want to transfer money, all I have to do is log on to the site with my password, then click on a series of cartoons in the correct order when prompted. Easy. But is it more secure? And what’s more, is it actually a bad idea?
There is still much debate on the value of picture-based password systems versus traditional alpha-numeric ones, specifically are they easier to remember and are they easier to guess.
This aside, I think that this particular system suffers from some of the problems symptomatic of ignoring the user when designing system authentication . So here’s my quick run-down of the pros and cons:
Security Pros
- Clicking a password with the mouse defeats key-loggers
- Remembering picture may be easier
Security Cons
- People tend to choose obvious pictures
- Clicking pictures on a screen is visible to others
- The pictures displayed change, so if you refresh it a few times, you can narrow down which pictures are in the code
- There are only 9 pictures (vs 10 digits if you just used numbers!)
- Difficult passwords lead to post-it notes
There is also the negative that these images are terrible random cartoons – not particularly professional as a client system for a financial institution.
Having worked for a number of years in IT departments with varying levels of password strictness rules, I can say without reservation:
The more difficult you make it for users to remember passwords, the less secure the system is.
The reason for this is simple- people will write them down. Somewhere. In the worst case, they’ll write it on a sticky-note and slap it on the monitor! And if they can’t find where they wrote it down, they’ll call IT and have it reset. Often without needing to verify who they are.
So why on earth not just have the system present a keypad like an ATM? It’s:
- More secure due to the number of digits and the fact the the options don’t change
- More Professional
- More familiar as most bank customers are very familiar with ATMs
What if you are sold on using graphical authentication ?
Here’s an easy checklist of what I think should be done:
- The interface must provide more possible combinations than a numberpad^
- The images should be professional and appropriate to the industry
- They should be obviously distinct, and certainly not just different colours
(^) That’s more at the authentication stage, not the selecting a password stage
By the way, can someone reset my password? I know it was snowman, fat guy then cheese… or was it cheese then ant?
31 October 2007