Author Topic: On line banking remembering codes and memorabal names  (Read 3910 times)

On line banking remembering codes and memorabal names
« on: 31 July, 2019, 10:05:10 am »
I managed to forget or mix up a bank card pin code yesterday

Then when I phoned the bank today I was asked for an access no. and when I couldn't remember this I was asked for a variety of memorable names and dates I'd previously provided.

You can probably guess - I managed 1 out of 4, the others I had no idea.

I can't be the only person with this problem. For now they've all been reset & I've saved them in a password protected file (it's a good password which I can remember). Any other suggestions on how to cope with this would be welcome.

It doesn't help that for work I have to remember key codes for several doors, and have a dozen usernames and passwords, many of which I'm required to change every 8-10 weeks. Remembering abstract names and numbers has never been my forte.

Re: On line banking remembering codes and memorabal names
« Reply #1 on: 31 July, 2019, 10:07:52 am »
LastPass ?
I think you'll find it's a bit more complicated than that.

Re: On line banking remembering codes and memorabal names
« Reply #2 on: 31 July, 2019, 10:21:56 am »
For home/personal stuff, write it all down on a piece of paper in your desk drawer.

many of which I'm required to change every 8-10 weeks.

This is security theatre that any competent security professional will advise against doing, since it means passwords written down on post-its or constantly forgotten - and the more routinely you're resetting forgotten passwords, the easier it is to social engineer resetting someone else's. It's long been surpassed by two-factor authentication and suchlike.

In the unlikely event that you're in a position to ask them to stop this (in return for 2FA), please do so.

vorsprung

  • Opposites Attract
    • Audaxing
Re: On line banking remembering codes and memorabal names
« Reply #3 on: 31 July, 2019, 10:53:33 am »
LastPass ?

or keepass or any of the encrypted thingies

trouble is that you replace the problem with "I can't remember the master password to my magic password safe"

postit notes are good :)

Re: On line banking remembering codes and memorabal names
« Reply #4 on: 31 July, 2019, 11:29:23 am »
I'm mostly still using variations of a password that I was given by my then ISP "Global Internet" in around 1987'ish.  It was already ahead of it's time as it was 8 characters, and a mixture of upper case, lower case and numbers.  I've added a "special" character, and swapped the upper and lower cases over the years and it mostly works. Except at work where I need both a bitlocker login and a 12 character password, changed quarterly.  ::-)

But yeah, post-its are good at home. I still sometimes have problems remembering stuff I set up for, say, phone contact with my bank - probably a once a year thing.

We are making a New World (Paul Nash, 1918)

Jaded

  • The Codfather
  • Formerly known as Jaded
Re: On line banking remembering codes and memorabal names
« Reply #5 on: 31 July, 2019, 11:34:56 am »
LastPass ?

or keepass or any of the encrypted thingies

trouble is that you replace the problem with "I can't remember the master password to my magic password safe"

postit notes are good :)

This is a good way. I have so many passwords (many hundreds) that the only way is to trust to a system like these. I use 1Password and it resides on my phone, tablet and computer. I keep passcodes, software licences, secure notes as well as passwords.

I can remember the master password.  :smug:
It is simpler than it looks.

Re: On line banking remembering codes and memorabal names
« Reply #6 on: 31 July, 2019, 12:16:47 pm »
For home/personal stuff, write it all down on a piece of paper in your desk drawer.

many of which I'm required to change every 8-10 weeks.

This is security theatre that any competent security professional will advise against doing, since it means passwords written down on post-its or constantly forgotten - and the more routinely you're resetting forgotten passwords, the easier it is to social engineer resetting someone else's. It's long been surpassed by two-factor authentication and suchlike.

In the unlikely event that you're in a position to ask them to stop this (in return for 2FA), please do so.

Yes the security risk is patently obvious to anyone with a bit of sense. The only possible way to remember the numerous usernames and passwords, not to mention door codes, that we need to do our jobs is to write them down & the loss of that list could have potentially serious consequences. An added complication for me is that my regular shift is 10pm to 4:30am, if I have any I.T. issues at that time I'm stuffed.

I've spent the last 10 years pointing out to various managers that having multiple passwords that we have to regularly change is actually creating risk rather than preventing it. It's a pointless exercise though, but it eases my conscience.

Re: On line banking remembering codes and memorabal names
« Reply #7 on: 31 July, 2019, 12:20:40 pm »
LastPass ?

or keepass or any of the encrypted thingies

trouble is that you replace the problem with "I can't remember the master password to my magic password safe"

postit notes are good :)

This is a good way. I have so many passwords (many hundreds) that the only way is to trust to a system like these. I use 1Password and it resides on my phone, tablet and computer. I keep passcodes, software licences, secure notes as well as passwords.

I can remember the master password.  :smug:

I do have a good master password that I believe to be a good one, i.e. I won't forget it but it's highly unlikely anyone else would figure it out.

our apps like keepass any more or less scure than an open office document saved with password protection?

It's at least reassuring to know I'm not the only person who needs to us the post it and notepad approach & can't remember passwords on the rare occasions I find myself phoning the bank.

Cudzoziemiec

  • Ride adventurously and stop for a brew.
Re: On line banking remembering codes and memorabal names
« Reply #8 on: 31 July, 2019, 12:30:36 pm »
LastPass ?

or keepass or any of the encrypted thingies

trouble is that you replace the problem with "I can't remember the master password to my magic password safe"

postit notes are good :)

This is a good way. I have so many passwords (many hundreds) that the only way is to trust to a system like these. I use 1Password and it resides on my phone, tablet and computer. I keep passcodes, software licences, secure notes as well as passwords.

I can remember the master password.  :smug:
And it's only one password which you don't have to change at someone else's say-so and might or might not contain lowercase, uppercase, numbers, special characters and anything else, at your decision.
Riding a concrete path through the nebulous and chaotic future.

Cudzoziemiec

  • Ride adventurously and stop for a brew.
Re: On line banking remembering codes and memorabal names
« Reply #9 on: 31 July, 2019, 12:33:30 pm »
For home/personal stuff, write it all down on a piece of paper in your desk drawer.

many of which I'm required to change every 8-10 weeks.

This is security theatre that any competent security professional will advise against doing, since it means passwords written down on post-its or constantly forgotten - and the more routinely you're resetting forgotten passwords, the easier it is to social engineer resetting someone else's. It's long been surpassed by two-factor authentication and suchlike.

In the unlikely event that you're in a position to ask them to stop this (in return for 2FA), please do so.
My only encounter with two-factor authentication has been on things like voting forms for the AUK AGM or voter registration, and it hasn't made any sense to me. There are two passwords, random strings of numbers and letters, but they're printed next to each other on the same piece of paper. So what's the point in having two parts? Is this just a case of people doing it wrong?
Riding a concrete path through the nebulous and chaotic future.

Re: On line banking remembering codes and memorabal names
« Reply #10 on: 31 July, 2019, 12:39:24 pm »
With online banking it seems to take the form of a text (or possibly email if you have no mobile signal at home) sent to you to enter onto the website.
We are making a New World (Paul Nash, 1918)

Cudzoziemiec

  • Ride adventurously and stop for a brew.
Re: On line banking remembering codes and memorabal names
« Reply #11 on: 31 July, 2019, 12:42:02 pm »
Yes, I've used that, and IIRC you get the text after you've entered your card number etc. It's the "two parts" being on one sheet of paper that I can't see the point of.
Riding a concrete path through the nebulous and chaotic future.

Re: On line banking remembering codes and memorabal names
« Reply #12 on: 31 July, 2019, 12:53:34 pm »
Yeah, proper 2FA the two things need to be separate, and the second thing needs to be an uncopiable physical object. So the bank card in chip and pin, or your phone in SMS authentication*, or the embedded code in one of these keyfob thingies.

(* the SMS network is insecure enough that it's not good enough for real security, but it's a hell of a lot better than not having it)

ian

Re: On line banking remembering codes and memorabal names
« Reply #13 on: 31 July, 2019, 03:01:22 pm »
The mothership does 2FA now which is nice till your phone runs out of battery. For home, I used Keychain which works fine until it doesn't (why oh why does it only work for the browser but is unavailable for any other apps' password field). I also put them in file secured away on an encrypted volume.

Re: On line banking remembering codes and memorabal names
« Reply #14 on: 31 July, 2019, 05:31:10 pm »
LastPass seems to be a vulnerable attack vector*, KeePass allows you to store the data yourself and has versions for all platforms. I use an encrypted file synching on Dropbox for the purpose, with Win and Android clients, iOs are available too. Remember that ANY browser plug in is vulnerable and, again, a common attack vector and potentially hundreds of thousands of users, if not millions, use it. That would be the most likely attack for LastPass, use the plug in at your own risk. Conceptually, copy and paste, while being a little more long winded, is a LOT safer.



*That is, it is a prime site for attack and people WILL be putting in effort to see if it can be done. By contrast a 256bit encrypted file in your own space isn't worth attacking.


Re: On line banking remembering codes and memorabal names
« Reply #15 on: 31 July, 2019, 05:33:41 pm »
On 2FA, it isn't that well known but both Paypal and Amazon support 2FA, using Google Authenticator app, as does Google but that is better known. If you aren't using 2FA, don't moan when you are hacked.

ian

Re: On line banking remembering codes and memorabal names
« Reply #16 on: 31 July, 2019, 08:47:14 pm »
I forgot to say that all memorable questions are anything but. And when you do remember them the machine says no. But it was my first pet, you'll bleat. No, the machine will demand, the goldfish you had when you were three.

Banks are the worst, it's like recovering the first 20 years of your life, then having to remember a passcode, PIN, secret code and first, third, and fiftieth letter of a password that must include now include at least one hieroglyph.

citoyen

  • Occasionally rides a bike
Re: On line banking remembering codes and memorabal names
« Reply #17 on: 31 July, 2019, 09:55:54 pm »
2FA makes me laugh. I enter my password then it sends a code to my phone.

Of course, I’ve got iMessage synced to my desktop so the code pops up on my screen right next to the box I need to enter it into... :facepalm:
"The future's all yours, you lousy bicycles."

Paul

  • L'enfer, c'est les autos.
Re: On line banking remembering codes and memorabal names
« Reply #18 on: 31 July, 2019, 10:04:35 pm »
Keep Ass?
What's so funny about peace, love and understanding?

Re: On line banking remembering codes and memorabal names
« Reply #19 on: 31 July, 2019, 10:23:20 pm »
2FA makes me laugh. I enter my password then it sends a code to my phone.

Of course, I’ve got iMessage synced to my desktop so the code pops up on my screen right next to the box I need to enter it into... :facepalm:

And the problem with 2FA is?

The overwhelming majority of password compromises involving someone stealing your credentials, as long as they don't have your phone you have more than a small degree of security, even if you have chosen to echo text messages onto your desktop. Although, please note that many 2FA will support Google Authenticator (or other 2-step validation, there are several) which is what I suggest to use.

citoyen

  • Occasionally rides a bike
Re: On line banking remembering codes and memorabal names
« Reply #20 on: 31 July, 2019, 10:42:11 pm »
And the problem with 2FA is?

That it won't save me if someone has access to my desktop because my passwords are saved by my web browser and iMessage is synced to my desktop. So if I leave my desktop unlocked while I get up to pick up something from the printer or make a coffee... well, really, I might as well have my passwords on post-it notes. I'm a fucking idiot.

I suppose that if I have my phone on me, I will at least get fair warning that someone is logging in to my accounts.
"The future's all yours, you lousy bicycles."

Re: On line banking remembering codes and memorabal names
« Reply #21 on: 31 July, 2019, 11:07:00 pm »
2FA means if someone intercepts your password but doesn't have your machine than the password is useless. That's the whole point.

If a hacker has physical access to your machine then that's a whole different set of security measures.

(does the iMessage sync thing work if your phone is off or not in the vicinity?)

citoyen

  • Occasionally rides a bike
Re: On line banking remembering codes and memorabal names
« Reply #22 on: 31 July, 2019, 11:33:16 pm »
(does the iMessage sync thing work if your phone is off or not in the vicinity?)

Yes. It's synced to the account, not the phone itself.

I'm not saying there's anything wrong with 2FA per se, just highlighting that it is not a panacea, for the simple reason that people (ie not just me) are idiots when it comes to security.

I must get back into the habit of locking my screen every time I leave my desk...
"The future's all yours, you lousy bicycles."

Re: On line banking remembering codes and memorabal names
« Reply #23 on: 01 August, 2019, 07:37:39 am »
Well, yes, and the simple fact is that 2FA does add to your security, almost however much you try to thwart it.

There are two prime attack vectors used.

The first is the easiest, where people use the same password on all online accounts. Look at https://haveibeenpwned.com/ - I'll have a shilling that you are there, I know I am. It doesn't bother me as I don't use a single password on all sites. OK, OK, I know I do for all sites that don't matter, and it isn't even a particularly strong one. That's the username password pair they've got. If I appear on here selling viagra at a special price, you will know that hackers are taking advantage of my security failing. Either that or my $Megacorp employer has decided they no longer need my services.

The second is likely the greatest threat, that you are the victim of malware. Either through a compromised website, or spear phishing (where you receive a targeted phishing attack tailored to you, eg an eMail from a mate saying "You won't believe the price of this bike, click here) your activity gets logged and sent to a central server, where they use your credentials to attempt to log in. 2FA stops this, dead.

Sure leaving your computer unlocked in a semi public environment is a risk, but it is minimal. To benefit, the attacker would have to sit in your place, use your computer for a reasonable period of time which is a risk. It is much more likely that anyone bent on harm will simply install a keylogger and we''re back to #2.

Ultimately, if you walk outside your front door leaving it wide open and your valuables on show, you can't really blame the insurance company for the locks they insisted you have failing to work.

Re: On line banking remembering codes and memorabal names
« Reply #24 on: 01 August, 2019, 08:45:07 am »
I started using the securenvoy authenticator app at work for remote access then realised it can be used for google and amazon.  it is great.  no waiting for a sms, just open the app and enter the 6 digit code.  Unless you actually have my phone and know my pin code I should be safe.