Nowadays I pay all my credit cards online (though I still like the paper statements as a permanent record). I check my bank balance online also.
This is very convenient except when it isn't. Far too often I am asked to re-register my computer. My credit union has done this every time I've accessed my account since I got new Mac Mini last year. I don't know why it keeps asking me this. It's very inconvenient. In order that it would not do this, and for similar concerns, I've given up trying to block cookies. I keep my cookies wide open because if I don't, I can't do important things I need to do. So much for security... But even with my cookies wide open it is not remembering my having registered this computer. But when I called the office, they said they did use cookies, and for it to remember my registering this computer I should keep my cookies open, so I still do, even though it doesn't actually seem to work.
OK, so a few times each month my credit union website asks me to re-register my computer. In order to do this, it either asks me an obscure question, or it sends me an email. Either one is bad. I did not choose these questions, such as "What City was your mother born in?" I would not have chosen a question like that because even I don't know the answer. My mother was born in Canada in a rural area to at least one US citizen who died in childbirth, then was adopted by her uncle who lived right across the border. So I might have given her uncle's city. But wait, I've only known her uncle to live in one city, but he moved there after my mother was born. So I can't even remember which approximate answer I gave. Did I give the city he lived in when my mother was first adopted, or slightly later? I don't even always remember the name of the first place (a tiny settlement), but I do remember the later one. So I must have given that. But wait, I might have alternatively given the name of the Canadian province she actually was born in. I seem to recall doing that a few times also.
Ultimately this isn't about knowing certain key (but perhaps unknown) facts about my life, but remember the particular way I answered them in a hurried and tense moment some time in the past, when my account asked me to answer these questions for enhanced security before I could check my balance that time.
Another example of this is my high school. Suppose my high school were Franklin Delano Roosevelt High School. Did I answer "Roosevelt" ? That would be simple, but also ambiguous. So then did I answer Franklin Roosevelt, Franklin D. Roosevelt, Franklin Delano Roosevelt, FD Roosevelt, F. D. R., FDR, etc. ??? And then even if I remember that I simply answered Roosevelt, did I say Roosevelt High School, Roosevelt HS, or just Roosevelt?
Nearly every single question like this has issues like this, there are many ways I could have answered the question, and what these "security questions" are really doing is forcing me to remember the specific way I answered them on some previous occasion.
I suppose I should just do the email option, but to do the email I need to access my work email account, since that's the one I always use for important stuff, and to do that from home I need to use the webmail interface. This is sufficiently inconvenient that I'm always tempted to use the "answer questions" option. I shouldn't, because far too often, including today, giving a wrong answer can be a path to being locked out of my account altogether and having to make a phone call during business hours which is not usually when I'm doing my banking.
OK, that's the run around with the "computer registration" feature which sometimes pops up, or in the case of my credit union, seems to always pop up. But I also have trouble with the passwords.
Nowadays one has to keep in mind or somehow a large set of passwords for all the things one wants to access via computer. A friend of mine has a written list. I don't want to depend on the physical world like that for a simple reason. I can never find anything in the physical world! If I ever wrote a list (and in fact, I did try to do that several times) the first thing that would happen would be that I would not be able to find the list. And especially I would not be able to find the list when I had to add some new password to it. So I would start another list. OK, you can see how this is not going to work.
So instead I have a tricky way of creating passwords for things depending on what those things are called. That is what has actually worked for me over the last 15 years. But there are several problems there also. For one, not all accounts permit the same special characters. So then I had to remember alternate rules for different accounts. Where I couldn't use @ I'd use A instead, and so on.
Then, in addition, there's a question of what things were called when I created passwords to them. For example, for Rolling Heights Credit Union did I use the name "Rolling Heights" or "Credit Union"?
I normally remember these things well enough. But sometimes it takes more than one login attempt. Sheer paranoia is behind the requirement that you get your password correct in just 3 attempts. If it's a decent password, you don't make it significantly less secure by allowing 50 login attempts, and that is one of my recommendations here. Because if for some reason I can't exactly remember how I created a particular password in just three attempts, my effort to pay my bills is thwarted, perhaps to be forgotten about the next week.
Discover Card has another trick. If you don't get your password correct on the very first attempt, it then erases your actual login name (remembered from the last visit) so you have to enter that as well. And that is another thing I don't always remember. I try to create usernames following certain rules, but often I can't choose the name I want and have to bend those rules.
All this was taken to another level with the credit analysis service MyFico. They had enormously long pass codes that you could not cut and paste but had to enter in by hand and get exactly correct, in a certain number of minutes, and all sorts of other impossibilities similar to the above. I accessed the service twice and couldn't manage to do it ever again. And it didn't help that my work email kept changing (not by my choice) during this process. The service nicely re-billed itself to my credit card for the second year when I hadn't been able to use it in 10 months. Finally, after two or three years of being unable to access the service, I got them to cancel it, somehow.
Anyway, I mention MyFico because that was my worst experience ever maintaining online access. Discover Card and my credit union are slightly less paranoid than MyFico. The most useable online services have been Chase and AT&T Universal Card (aka Citibank). Chase has only bothered me a few times with the "register this computer" (for the umpteenth time) crap, but not so much as my Credit Union. Citibank even fewer times.
One other thing I totally detest is that whenever there is a re-register your computer or other similar incident, you then have to choose a brand new password. Even though there was no indication that my (quite strong) password was compromised in any way (if anything it was too strong, and I couldn't even remember it) I can't use that password anymore and have to create a new one. So then I go back to my rules and figure out a new way to parse the name of the institution, and then try to keep track of that change in my mind.
I don't think a strong password should ever need to be changed, unless there is some actual evidence it needs to be changed. If you couldn't remember it, that is evidence it's a good password.
Well on top of all of the above, sometimes the login/re-register systems aren't even logically coherent. They ask you to do something, you do it correctly to the letter, and then that still doesn't work. That happened to me today with my credit union online. It started out with the re-register your computer thing. Rather than figure out the correct answer to "what city was your mother born it" I asked for it to send an email. It sent me a link, I clicked on the link, and it brought me right back to the login/password thing, then after that I was right back to the re-register your computer by answering this question, what city was your mother born it? So the link had done nothing to advance my situation.
After some messing with this, I was finally locked out of my account. I called the office, and they said they would unlock my account and send me a temporary password. Well, they sent me a link, but the email they sent me did not include a temporary password, just a link. I clicked on the link and it brought me to the login/password dialog and I was stuck again. So I called a second time, and this time they gave me a new password over the phone, and "reset" my online password. Finally, that worked, when I entered the temporary password it immediately asked me to enter a new password. I tried the last good and strong password I had long used, but it wouldn't let me use any password that I had used before. So I had to change my way of naming them again, so I could create a password I had never used before, and I wrote it down on a few pieces of paper so I won't forget, but probably will.
This is very convenient except when it isn't. Far too often I am asked to re-register my computer. My credit union has done this every time I've accessed my account since I got new Mac Mini last year. I don't know why it keeps asking me this. It's very inconvenient. In order that it would not do this, and for similar concerns, I've given up trying to block cookies. I keep my cookies wide open because if I don't, I can't do important things I need to do. So much for security... But even with my cookies wide open it is not remembering my having registered this computer. But when I called the office, they said they did use cookies, and for it to remember my registering this computer I should keep my cookies open, so I still do, even though it doesn't actually seem to work.
OK, so a few times each month my credit union website asks me to re-register my computer. In order to do this, it either asks me an obscure question, or it sends me an email. Either one is bad. I did not choose these questions, such as "What City was your mother born in?" I would not have chosen a question like that because even I don't know the answer. My mother was born in Canada in a rural area to at least one US citizen who died in childbirth, then was adopted by her uncle who lived right across the border. So I might have given her uncle's city. But wait, I've only known her uncle to live in one city, but he moved there after my mother was born. So I can't even remember which approximate answer I gave. Did I give the city he lived in when my mother was first adopted, or slightly later? I don't even always remember the name of the first place (a tiny settlement), but I do remember the later one. So I must have given that. But wait, I might have alternatively given the name of the Canadian province she actually was born in. I seem to recall doing that a few times also.
Ultimately this isn't about knowing certain key (but perhaps unknown) facts about my life, but remember the particular way I answered them in a hurried and tense moment some time in the past, when my account asked me to answer these questions for enhanced security before I could check my balance that time.
Another example of this is my high school. Suppose my high school were Franklin Delano Roosevelt High School. Did I answer "Roosevelt" ? That would be simple, but also ambiguous. So then did I answer Franklin Roosevelt, Franklin D. Roosevelt, Franklin Delano Roosevelt, FD Roosevelt, F. D. R., FDR, etc. ??? And then even if I remember that I simply answered Roosevelt, did I say Roosevelt High School, Roosevelt HS, or just Roosevelt?
Nearly every single question like this has issues like this, there are many ways I could have answered the question, and what these "security questions" are really doing is forcing me to remember the specific way I answered them on some previous occasion.
I suppose I should just do the email option, but to do the email I need to access my work email account, since that's the one I always use for important stuff, and to do that from home I need to use the webmail interface. This is sufficiently inconvenient that I'm always tempted to use the "answer questions" option. I shouldn't, because far too often, including today, giving a wrong answer can be a path to being locked out of my account altogether and having to make a phone call during business hours which is not usually when I'm doing my banking.
OK, that's the run around with the "computer registration" feature which sometimes pops up, or in the case of my credit union, seems to always pop up. But I also have trouble with the passwords.
Nowadays one has to keep in mind or somehow a large set of passwords for all the things one wants to access via computer. A friend of mine has a written list. I don't want to depend on the physical world like that for a simple reason. I can never find anything in the physical world! If I ever wrote a list (and in fact, I did try to do that several times) the first thing that would happen would be that I would not be able to find the list. And especially I would not be able to find the list when I had to add some new password to it. So I would start another list. OK, you can see how this is not going to work.
So instead I have a tricky way of creating passwords for things depending on what those things are called. That is what has actually worked for me over the last 15 years. But there are several problems there also. For one, not all accounts permit the same special characters. So then I had to remember alternate rules for different accounts. Where I couldn't use @ I'd use A instead, and so on.
Then, in addition, there's a question of what things were called when I created passwords to them. For example, for Rolling Heights Credit Union did I use the name "Rolling Heights" or "Credit Union"?
I normally remember these things well enough. But sometimes it takes more than one login attempt. Sheer paranoia is behind the requirement that you get your password correct in just 3 attempts. If it's a decent password, you don't make it significantly less secure by allowing 50 login attempts, and that is one of my recommendations here. Because if for some reason I can't exactly remember how I created a particular password in just three attempts, my effort to pay my bills is thwarted, perhaps to be forgotten about the next week.
Discover Card has another trick. If you don't get your password correct on the very first attempt, it then erases your actual login name (remembered from the last visit) so you have to enter that as well. And that is another thing I don't always remember. I try to create usernames following certain rules, but often I can't choose the name I want and have to bend those rules.
All this was taken to another level with the credit analysis service MyFico. They had enormously long pass codes that you could not cut and paste but had to enter in by hand and get exactly correct, in a certain number of minutes, and all sorts of other impossibilities similar to the above. I accessed the service twice and couldn't manage to do it ever again. And it didn't help that my work email kept changing (not by my choice) during this process. The service nicely re-billed itself to my credit card for the second year when I hadn't been able to use it in 10 months. Finally, after two or three years of being unable to access the service, I got them to cancel it, somehow.
Anyway, I mention MyFico because that was my worst experience ever maintaining online access. Discover Card and my credit union are slightly less paranoid than MyFico. The most useable online services have been Chase and AT&T Universal Card (aka Citibank). Chase has only bothered me a few times with the "register this computer" (for the umpteenth time) crap, but not so much as my Credit Union. Citibank even fewer times.
One other thing I totally detest is that whenever there is a re-register your computer or other similar incident, you then have to choose a brand new password. Even though there was no indication that my (quite strong) password was compromised in any way (if anything it was too strong, and I couldn't even remember it) I can't use that password anymore and have to create a new one. So then I go back to my rules and figure out a new way to parse the name of the institution, and then try to keep track of that change in my mind.
I don't think a strong password should ever need to be changed, unless there is some actual evidence it needs to be changed. If you couldn't remember it, that is evidence it's a good password.
Well on top of all of the above, sometimes the login/re-register systems aren't even logically coherent. They ask you to do something, you do it correctly to the letter, and then that still doesn't work. That happened to me today with my credit union online. It started out with the re-register your computer thing. Rather than figure out the correct answer to "what city was your mother born it" I asked for it to send an email. It sent me a link, I clicked on the link, and it brought me right back to the login/password thing, then after that I was right back to the re-register your computer by answering this question, what city was your mother born it? So the link had done nothing to advance my situation.
After some messing with this, I was finally locked out of my account. I called the office, and they said they would unlock my account and send me a temporary password. Well, they sent me a link, but the email they sent me did not include a temporary password, just a link. I clicked on the link and it brought me to the login/password dialog and I was stuck again. So I called a second time, and this time they gave me a new password over the phone, and "reset" my online password. Finally, that worked, when I entered the temporary password it immediately asked me to enter a new password. I tried the last good and strong password I had long used, but it wouldn't let me use any password that I had used before. So I had to change my way of naming them again, so I could create a password I had never used before, and I wrote it down on a few pieces of paper so I won't forget, but probably will.
No comments:
Post a Comment