Defending The Kingdom

NatWest, a UK-based bank, has a unique login page that makes it safe to sign into your online bank account even on untrusted computers. The login page makes it impossible to employ the Revised Vesik Method that is ordinarily the best way to beat keyloggers, but it more than compensates with its clever login requirements.

When logging in, the first set of fields ask for just three of the four or more digits that make up your account PIN, and the next set of fields asks for just three of the eight or more characters from your password (you are using eight characters or more for your passwords, right?). The specific characters you need to enter change each time you successfully login.

So suppose a keylogger captures every stroke you enter – are you safe? Yes, since the six digits that a keylogger could scrape are likely to prove useless when the next login page is generated. The new page will ask for different characters, and it won’t regenerate new requirements until those characters are successfully entered. That’s important, because otherwise it might be possible to refresh the page until the desired six digits are requested again.

As safe as other techniques?

You might wonder if the trick of asking for just six digits means that the login procedure is less safe than one that asks for eight. I believe it is, but not in any sense that matters as long as there is a limit to the number of incorrect login attempts that can be made. Like most banks, Natwest hinders password-guessers by temporarily blocking access to online banking after a certain number of failed login attempts

So, how much less safe is NatWest’s request for six digits instead of eight? Well, guessing an eight digit password composed of numbers and varied case letters would see success about 1 in 200 trillion times; guessing a single number from a four digit PIN and then guessing the correct three digits from the same password as before would see success about 1 in 2.4 million times. There is a difference, but it doesn’t really matter if the temporary lockout feature is working properly. In my judgment, the anti-fishing benefits make NatWest’s login procedure safer than login pages that ask for complete passwords.

The one downside is that logging in is inconvenient, since you have to mentally count to the right digit in your password before entering it. Still, Natwest’s login requirements ought to be considered industry best-practices. I hope to see more banks adopt the technique.

If you want a simple way to create, store, and use strong passwords, get Password Safe. You need only remember one password — the master password that grants access to your password database. Making a suitable password is easy, as I’ve written about before.

Slate has an article this month that gives similar advice for making passwords. It’s worth reading for the examples, and I like the suggestion for creating a password that can be altered slightly every few months so frequent password-changers don’t have to memorize a completely new one.

As always, a company’s security is only as good as its weakest link. Often, social engineering is the easiest way in for someone who wants to steal passwords or account information. Password reset procedures are pretty bad, too (“What is the name of the street where you grew up”? Give me a break).

Here is a sad combination example. I doubt the companies discussed are outliers in terms of their security standards.

Any site that asks for a username and password pertaining to another site should raise red flags for you, but apparently contact scraping is getting results:

Once you enter your credentials, like your [email] user name or password, the company sweeps through your contact list and sends everyone an invitation to join the site.

Nothing new here, but the tactic can be tough to spot. Facebook has nearly tricked me into giving up all of my email contacts a couple of times.

If your secret question is easier to guess than your password, your password is effectively useless. From the abstract of a recent Microsoft research paper:

All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers.

Since you often need to provide answers to secret questions when signing up for online accounts, I suggest using strings like “lJOcK6gS”. You can employ something like Password Safe to generate those strings and store them.