firecat

I have a mortgage and I pay it online. When I log into the account, this is what usually happens:

1. They demand that I change my password to something different from what it was before. So I do it. I believe that the strongest passwords include letters, numbers, and symbols. So I enter a password like that. Then they tell me I can't use any symbols. So I have to redo it to something less secure.

I have a program that stores all my passwords now, but before I had that, I had trouble remembering what password I was using for this site (because I constantly had to change it and couldn't use symbols) and I kept having to call them up and get them to reset the account.

2. They demand that I answer a "security question" that I previously set up.

3. When I confirm my payment, they demand that I enter the last 4 digits of my social security number.

This seems ridiculous, especially since a mortgage account ONLY INVOLVES MY GIVING THEM MONEY. I can see reasons for using multi-factor security to protect checking accounts and credit accounts, but I can't think of any reason for someone to hack into a mortgage account.

Crossposts: http://firecat.livejournal.com/724801.html

Flat | Top-Level Comments Only

From:

zeborah

Yeah, both my bank and my workplace refuse to allow symbols in the passwords, which is a blasted nuisance for me, because my standard password-creating algorithm (which creates passwords which are easy for me to remember but still unique to most sites) requires symbols. At the same time, one scientific database I use at work insists on including symbols. I tried arguing about it with both bank and work, but they fed me the "Symbols don't make nearly as large a difference to hackability as length of password does" line, which upon further research I discover to be true, but which isn't my point anyway.

The same research also uncovered that changing one's password at regular intervals makes *no bloody difference at all* and hasn't since something like the paleolithic era. You could attempt to argue this with your bank but I doubt they'd listen.

From:

evilawyer

one scientific database I use at work insists on including symbols

Really? This goes to fortify my belief that science is truer (or at least more honest) than business. And less focused on trying to make us trust it than business (and government, and everthing else) is. "Change that password and make it long. We're only looking out for you when we tell you to do this." Looking out for me, and trying to lull me into the Orwellian era. Thanks, fellas. Glad I have that ooffee can I stuff money into.

From:

zeborah

In this case it's because they're highly protective of their data - it's one of the few databases where the institution has to pay megabucks just for a single 'seat' (ie only one person at a time can use the database) - we can afford four seats, but this still of course makes students' eyebrows raise when I explain it. Oh and every single time you log in you have to agree to their terms and conditions. Every. Single. Time. And you have to register with your institutional email address to get access (most databases trust the institution to do the authenticating for them, using IP addresses / proxies / whatever; this one requires that and registration). So I'm not overly fond of their practices in this case, but I'm unfond in different ways than I'm unfond of bank practices.

From:

evilawyer

But their data is about the members of the public (institutional entities included). Just like the banks' coveted data. Which is fine --- a commodity is a commodity and there has been no privacy for decades at the least --- but I've been depressingly finding of late, a fact that many people don't realize or, worse, still, understand this fact. "I have Ad Block. I don't care about their ads" or "I only bank on on-line when it's absolutely necessary" of "I only do things on the website if I don't have time to get down to the administration office." I'm happy for whatever "protection" any institution affords me. It's just that I hate the thought that they want me to think that it's all an altruistic exercise designed to protect me and other consumers without any sort of benefit to the institution.

From:

firecat

Length more important than symbols. That makes sense. But IME more sites require symbols than disallow them, so they are in my standard pw-creating algorithm.

From:

zeborah

I just get annoyed because the only reason to specifically disallow them is because you're such a sucky coder that you don't know how to escape them properly. And if you're that sucky a programmer then you shouldn't be programming a bank's customer service interface.

From:

amadi

This is exactly what I'm thinking. I'm reminded of the trick, if you use GMail, you can do myaddress+variable@gmail.com and whatever it is on the right side of the + is irrelevant toward getting the mail to you, but can be used to track if businesses or organizations are selling/sharing your email and also for labels. But countless places won't allow the + because their programmers couldn't be bothered to escape for any symbols in email addresses beyond . and @

My bank is one such place. It's frustrating. But they give otherwise good service so I stick with them in hopes that they'll eventually hire a better programmer.