Secure logins that aren’t secure
I’m becoming more irritated by organisation who are failing to understand that their secure login systems are anything but.
Any organisation provides me with a ‘secret’ number or a passphrase (or restricts what passphrase I can use) that I have to remember to login is effectively putting my data at risk by forcing me to write that passphrase down. I can remember pin for my debit card and another one for my credit card, the password for my email is easy as I use it everyday), being asked to remember 2 more numbers (not of my choosing for an online account I use once every 6 months… Why would I? How could I? So I write it down… and remove any semblance of security!
If they can’t pick-up on the OpenID movement couldn’t they at least have the decency to let me choose my own damn password?
“Verified by Visa” is a case in point. They force you to make a password decision at the point of sale and then expect you to remember it next time you try to buy something with your Visa card at a merchant who is a member of the scheme… if you can’t remember it, well… oh dear…presumably an alarm goes off in Visa HQ and 5 minutes later the fraud squad kick your door down!
I’d like to see security that asks you to play a little 2 minute game that involves a load of bifurcating choices and that in the end shows you a simple memorable image. Then when you need to verify yourself you give your basic details (e.g. card number) and it shows you 50 images including yours. That seems way more secure to me.