Thursday, December 07, 2006

Password Wars: Operation HSBC

So I've commented before (here and here) on how ridiculous and varied the rules on passwords have become on various internet sites. Well, the popular bank HSBC has introduced a new security feature for its customers that is making it even more difficult to sign in.

In addition to the standard username and password (which have naming restrictions in and of themselves), and your standard PIN number, HSBC now requires you to have a "Security Key" which is an even longer password (with its own naming restrictions).

You also have to answer two "Security Questions" which I guess I will be asked if I ever forget my password. But the majority of the questions are ones that you will never remember the answer to, such as my favorite "childhood cartoon character" or my favorite "tv show." I love Batman from the Animated Series, but was that my childhood? Should I pick Optimus Prime instead? Need I remind you that I will be no doubt having this existential debate with a bank representative on the phone when I'm locked out of my account and need money to pay a bill.

HSBC doesn't even let you input all of your login information on the same screen anymore. The first thing you are asked for when you log in is a screen that asks for your username only:

What takes the cake is the next page, in which you have to type (and remember) your original password and then--I kid you not--use a "Virtual Keyboard" to click in your new "Security Key." So now I have to sit there using my mouse to click on every letter in a password that they recommended should upwards of 20 characters. It will give you an error message if you attempt to type in the password.

So why the limitation on not being able to type in the new "Security Key"? Is the bank worried that I have a keystroke recorder installed on my system? Well, I suppose that is one way to keep your password secure, although I'm not sure what genius thought it was going to be more secure to SHOW EVERYONE NEAR YOU what letters you are clicking on your screen.

Did this same person think it was a good idea to basically quadruple the amount of time it takes to sign in? I figure if HSBC is so dedicated to security, they should give their customers a USB retinal scanner. Of course, a retinal scan won't be enough security in and of itself for HSBC, who will then ask me for my mother's maiden name and what her favorite sitcom of the 1980's was.

1 comment:

Anonymous said...

Pretty funny. B of A has a new(ish) system too, wherein their page shows you a picture that you have preselected (which they call a sitekey), and only when you see this picture do you know it's safe to type in your password. Apparently they are worried about phony B of A pages cropping up in order to steal people's passwords. It doesn't really bother me because it doesn't add any more steps to the login process, and it makes sense as a simple way to beef up security a little bit. It wouldnt seem to protect against whatever your bank is apparently worried about.

By the way, if given an option, Optimus Prime is always the right answer.