Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.misc > #23872 > unrolled thread

Using SMS for password reset.

Back to article view | Back to comp.misc

Contents

  Using SMS for password reset. Sylvia Else <sylvia@email.invalid> - 2024-01-30 19:22 +1100
    Re: Using SMS for password reset. Dan Purgert <dan@djph.net> - 2024-01-30 10:39 +0000
      Re: Using SMS for password reset. Sylvia Else <sylvia@email.invalid> - 2024-01-30 21:57 +1100
        Re: Using SMS for password reset. Bruce Horrocks <07.013@scorecrow.com> - 2024-02-06 23:47 +0000
          Re: Using SMS for password reset. "Kerr-Mudd, John" <admin@127.0.0.1> - 2024-02-07 10:31 +0000
          Re: Using SMS for password reset. Ian <gay@sfuu.ca> - 2024-02-07 15:03 -0800
      Re: Using SMS for password reset. Spiros Bousbouras <spibou@gmail.com> - 2024-01-30 14:33 +0000
        Re: Using SMS for password reset. D <nospam@example.net> - 2024-01-30 16:38 +0100
        Re: Using SMS for password reset. Julieta Shem <jshem@yaxenu.org> - 2024-01-30 13:39 -0300
          Re: Using SMS for password reset. Mike Spencer <mds@bogus.nodomain.nowhere> - 2024-01-30 19:56 -0400
            Re: Using SMS for password reset. Julieta Shem <jshem@yaxenu.org> - 2024-01-31 17:57 -0300
        Re: Using SMS for password reset. Dan Purgert <dan@djph.net> - 2024-01-31 11:10 +0000
          Re: Using SMS for password reset. Sylvia Else <sylvia@email.invalid> - 2024-01-31 22:34 +1100
            Re: Using SMS for password reset. Dan Purgert <dan@djph.net> - 2024-02-01 15:16 +0000
          Re: Using SMS for password reset. Spiros Bousbouras <spibou@gmail.com> - 2024-01-31 12:06 +0000
            Re: Using SMS for password reset. Dan Purgert <dan@djph.net> - 2024-02-01 15:48 +0000
              Re: Using SMS for password reset. Spiros Bousbouras <spibou@gmail.com> - 2024-02-01 17:57 +0000
    Re: Using SMS for password reset. Rich <rich@example.invalid> - 2024-01-30 16:39 +0000
    Re: Using SMS for password reset. newsmaster@ausics.net - 2024-01-31 07:02 +1000
    Re: Using SMS for password reset. Sylvia Else <sylvia@email.invalid> - 2024-01-31 09:45 +1100
      Re: Using SMS for password reset. Rich <rich@example.invalid> - 2024-01-30 23:39 +0000
        Re: Using SMS for password reset. Bob Eager <news0009@eager.cx> - 2024-01-31 00:10 +0000
        Re: Using SMS for password reset. Julieta Shem <jshem@yaxenu.org> - 2024-01-30 22:30 -0300
          Re: Using SMS for password reset. kludge@panix.com (Scott Dorsey) - 2024-01-31 01:41 +0000
            Re: Using SMS for password reset. Julieta Shem <jshem@yaxenu.org> - 2024-01-30 23:09 -0300
              Re: Using SMS for password reset. D <nospam@example.net> - 2024-01-31 10:58 +0100
        Re: Using SMS for password reset. Sylvia Else <sylvia@email.invalid> - 2024-01-31 13:32 +1100

Page 1 of 2  [1] 2  Next page →

#23872 — Using SMS for password reset.

This is really a rant - venting to release some of the frustration.

I'm in the process of selling my house, and I need somewhere secure to 
hold the proceeds. I decided I'd create a account with a bank I don't 
otherwise bank with, and interact online with it using a live-DVD on a 
system that has no storage. So no risk of key loggers or other hacks. 
I'd remember the strong password, and not have it written down anywhere.

Except that the banks insist on having a password reset option, 
validated using an SMS. This undermines my attempts at ensuring that the 
account remains secure.

I've tried telling banks (and other entities, indeed) that I don't want 
the ability to reset the password. No go, because such an option is not 
implemented in their systems.

Telcos in Australia have some quite strict rules regarding transfer of 
mobile phone numbers, but the rules still get broken, and frauds 
committed thereby.

If someone perpetrated a fraud as a consequence of the SMS password 
reset, I'd have a good case that it was a fraud against the bank, rather 
than against me, and that it was therefore the bank's loss.

Still, I'd rather not have to deal with it.

I looked at having a SecurID® device as 2FA. But guess what? It can be 
used to reset the password.

So I'm tearing my hair out. Why do banks have this huge blind-spot when 
it comes to resetting passwords?

Sylvia.

[toc] | [next] | [standalone]

#23873

On 2024-01-30, Sylvia Else wrote:
> This is really a rant - venting to release some of the frustration.
>
> I'm in the process of selling my house, and I need somewhere secure to 
> hold the proceeds. I decided I'd create a account with a bank I don't 
> otherwise bank with, and interact online with it using a live-DVD on a 
> system that has no storage. So no risk of key loggers or other hacks. 
> I'd remember the strong password, and not have it written down anywhere.

Until you don't remember it, then what?

Because let's face it, eventually we all forget the password.

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860

[toc] | [prev] | [next] | [standalone]

#23874

On 30-Jan-24 9:39 pm, Dan Purgert wrote:
> On 2024-01-30, Sylvia Else wrote:
>> This is really a rant - venting to release some of the frustration.
>>
>> I'm in the process of selling my house, and I need somewhere secure to
>> hold the proceeds. I decided I'd create a account with a bank I don't
>> otherwise bank with, and interact online with it using a live-DVD on a
>> system that has no storage. So no risk of key loggers or other hacks.
>> I'd remember the strong password, and not have it written down anywhere.
> 
> Until you don't remember it, then what?
> 
> Because let's face it, eventually we all forget the password.
> 

If I say I won't forget, you've no real reason to doubt me. There are 
many things that I've remembered for decades.

In the event that I really did forget, then I'd have to show up at one 
of the bank's offices with physical identity documents.

Sylvia.

[toc] | [prev] | [next] | [standalone]

#23921

On 30/01/2024 10:57, Sylvia Else wrote:
> On 30-Jan-24 9:39 pm, Dan Purgert wrote:
>> On 2024-01-30, Sylvia Else wrote:
>>> This is really a rant - venting to release some of the frustration.
>>>
>>> I'm in the process of selling my house, and I need somewhere secure to
>>> hold the proceeds. I decided I'd create a account with a bank I don't
>>> otherwise bank with, and interact online with it using a live-DVD on a
>>> system that has no storage. So no risk of key loggers or other hacks.
>>> I'd remember the strong password, and not have it written down anywhere.
>>
>> Until you don't remember it, then what?
>>
>> Because let's face it, eventually we all forget the password.
>>
> 
> If I say I won't forget, you've no real reason to doubt me. There are 
> many things that I've remembered for decades.

I don't doubt you, but your ability to remember a password that isn't 
easily guessable and isn't re-used on multiple sites puts you in the top 
0.1% of the population. Banks, however, have to deal with the remaining 
99.9% as well.

> In the event that I really did forget, then I'd have to show up at one 
> of the bank's offices with physical identity documents.

That's the last thing they want people doing. Imagine going into the 
bank to find that there are 15 people ahead of you in the queue, all 
waiting to go through a 5 minute process of showing documents to prove 
their identity to get their password changed.

The banks don't want to pay their staff to change passwords, they want 
to pay them to sell you a new savings account or to take out a loan.

FWIW my bank in the UK gives out a free card reader device, a bit like a 
pocket calculator, for their 2FA system. To use it you insert your bank 
card, enter your card pin, which it validates using the chip in the chip 
& pin card and then displays an 8 digit number to enter into the website.

You use this to log in initially (so no password to remember) and then 
to re-authenticate prior to carrying out any sensitive actions such as 
making a payment or changing personal details.

-- 
Bruce Horrocks
Surrey, England

[toc] | [prev] | [next] | [standalone]

#23925

On Tue, 6 Feb 2024 23:47:35 +0000
Bruce Horrocks <07.013@scorecrow.com> wrote:

> On 30/01/2024 10:57, Sylvia Else wrote:
> > On 30-Jan-24 9:39 pm, Dan Purgert wrote:
> >> On 2024-01-30, Sylvia Else wrote:
> >>> This is really a rant - venting to release some of the frustration.
> >>>
> >>> I'm in the process of selling my house, and I need somewhere secure to
> >>> hold the proceeds. I decided I'd create a account with a bank I don't
> >>> otherwise bank with, and interact online with it using a live-DVD on a
> >>> system that has no storage. So no risk of key loggers or other hacks.
> >>> I'd remember the strong password, and not have it written down anywhere.
> >>
> >> Until you don't remember it, then what?
> >>
> >> Because let's face it, eventually we all forget the password.
> >>
> > 
> > If I say I won't forget, you've no real reason to doubt me. There are 
> > many things that I've remembered for decades.
> 
> I don't doubt you, but your ability to remember a password that isn't 
> easily guessable and isn't re-used on multiple sites puts you in the top 
> 0.1% of the population. Banks, however, have to deal with the remaining 
> 99.9% as well.
> 
> > In the event that I really did forget, then I'd have to show up at one 
> > of the bank's offices with physical identity documents.
> 
> That's the last thing they want people doing. Imagine going into the 
> bank to find that there are 15 people ahead of you in the queue, all 
> waiting to go through a 5 minute process of showing documents to prove 
> their identity to get their password changed.
> 
> The banks don't want to pay their staff to change passwords, they want 
> to pay them to sell you a new savings account or to take out a loan.
> 
> FWIW my bank in the UK gives out a free card reader device, a bit like a 
> pocket calculator, for their 2FA system. To use it you insert your bank 
> card, enter your card pin, which it validates using the chip in the chip 
> & pin card and then displays an 8 digit number to enter into the website.
> 
> You use this to log in initially (so no password to remember) and then 
> to re-authenticate prior to carrying out any sensitive actions such as 
> making a payment or changing personal details.
> 
These are being deprecated by my bank; they much prefer to sms a
code to your phone.

-- 
Bah, and indeed Humbug.

[toc] | [prev] | [next] | [standalone]

#23930

Bruce Horrocks wrote:

> On 30/01/2024 10:57, Sylvia Else wrote:
>> On 30-Jan-24 9:39 pm, Dan Purgert wrote:
>>> On 2024-01-30, Sylvia Else wrote:
>>>> This is really a rant - venting to release some of the frustration.
>>>>
>>>> I'm in the process of selling my house, and I need somewhere secure
>>>> to hold the proceeds. I decided I'd create a account with a bank I
>>>> don't otherwise bank with, and interact online with it using a
>>>> live-DVD on a system that has no storage. So no risk of key loggers
>>>> or other hacks. I'd remember the strong password, and not have it
>>>> written down anywhere.
>>>
>>> Until you don't remember it, then what?
>>>
>>> Because let's face it, eventually we all forget the password.
>>>
>> 
>> If I say I won't forget, you've no real reason to doubt me. There are
>> many things that I've remembered for decades.
> 
> I don't doubt you, but your ability to remember a password that isn't
> easily guessable and isn't re-used on multiple sites puts you in the
> top 0.1% of the population. Banks, however, have to deal with the
> remaining 99.9% as well.
> 
>> In the event that I really did forget, then I'd have to show up at
>> one of the bank's offices with physical identity documents.
> 
> That's the last thing they want people doing. Imagine going into the
> bank to find that there are 15 people ahead of you in the queue, all
> waiting to go through a 5 minute process of showing documents to prove
> their identity to get their password changed.
> 
> The banks don't want to pay their staff to change passwords, they want
> to pay them to sell you a new savings account or to take out a loan.
> 
> FWIW my bank in the UK gives out a free card reader device, a bit like
> a pocket calculator, for their 2FA system. To use it you insert your
> bank card, enter your card pin, which it validates using the chip in
> the chip & pin card and then displays an 8 digit number to enter into
> the website.
> 
> You use this to log in initially (so no password to remember) and then
> to re-authenticate prior to carrying out any sensitive actions such as
> making a payment or changing personal details.
> 

Would that be the same bank that asks you for, e.g. the 3rd character of
your pin and the 5th character of your password? This seems to mean
that they must have plaintext of your pin and password on line. Doesn't
seem very secure...
-- 
*********** To reply by e-mail, make w single in address **************

[toc] | [prev] | [next] | [standalone]

#23875

On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
Dan Purgert <dan@djph.net> wrote:
> On 2024-01-30, Sylvia Else wrote:
> > This is really a rant - venting to release some of the frustration.
> >
> > I'm in the process of selling my house, and I need somewhere secure to 
> > hold the proceeds. I decided I'd create a account with a bank I don't 
> > otherwise bank with, and interact online with it using a live-DVD on a 
> > system that has no storage. So no risk of key loggers or other hacks. 
> > I'd remember the strong password, and not have it written down anywhere.
> 
> Until you don't remember it, then what?
> 
> Because let's face it, eventually we all forget the password.

That's a very presumptuous thing to say. I have my own ways of storing and
retrieving passwords (which may include just my memory) and I'm confident
they are secure and reliable enough. So don't include me in your "we".

I share Sylvia's frustration and it's not just with banks. Pretty much any
online site with an option to create an account , will also have some kind
of password reminder , usually sent to your email. Very often I have wished
for sites to offer the option when creating an account to disable any
password reminders but I have yet to see a site which does this.

[toc] | [prev] | [next] | [standalone]

#23876

On Tue, 30 Jan 2024, Spiros Bousbouras wrote:

> On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
> Dan Purgert <dan@djph.net> wrote:
>> On 2024-01-30, Sylvia Else wrote:
>>> This is really a rant - venting to release some of the frustration.
>>>
>>> I'm in the process of selling my house, and I need somewhere secure to
>>> hold the proceeds. I decided I'd create a account with a bank I don't
>>> otherwise bank with, and interact online with it using a live-DVD on a
>>> system that has no storage. So no risk of key loggers or other hacks.
>>> I'd remember the strong password, and not have it written down anywhere.
>>
>> Until you don't remember it, then what?
>>
>> Because let's face it, eventually we all forget the password.
>
> That's a very presumptuous thing to say. I have my own ways of storing and
> retrieving passwords (which may include just my memory) and I'm confident
> they are secure and reliable enough. So don't include me in your "we".
>
> I share Sylvia's frustration and it's not just with banks. Pretty much any
> online site with an option to create an account , will also have some kind
> of password reminder , usually sent to your email. Very often I have wished
> for sites to offer the option when creating an account to disable any
> password reminders but I have yet to see a site which does this.
>

Just for the record, please add me to the "we". When it comes to password 
reset, I've never had a bank that does not have go to their office in 
person to setup accounts and change passwords.

[toc] | [prev] | [next] | [standalone]

#23879

Spiros Bousbouras <spibou@gmail.com> writes:

> On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
> Dan Purgert <dan@djph.net> wrote:
>> On 2024-01-30, Sylvia Else wrote:
>> > This is really a rant - venting to release some of the frustration.
>> >
>> > I'm in the process of selling my house, and I need somewhere secure to 
>> > hold the proceeds. I decided I'd create a account with a bank I don't 
>> > otherwise bank with, and interact online with it using a live-DVD on a 
>> > system that has no storage. So no risk of key loggers or other hacks. 
>> > I'd remember the strong password, and not have it written down anywhere.
>> 
>> Until you don't remember it, then what?
>> 
>> Because let's face it, eventually we all forget the password.
>
> That's a very presumptuous thing to say. I have my own ways of storing and
> retrieving passwords (which may include just my memory) and I'm confident
> they are secure and reliable enough. So don't include me in your "we".
>
> I share Sylvia's frustration and it's not just with banks.

I share Sylvia's frustration as well.  It's not just with banks.  Things
are become ever more centralized.  Centralization designs products and
services to the average customer and business invest in shaping people
so that if fits their business model.  Along with that new cultural
values appear.  People seem a lot less interested in serving people.  We
have to fit in with the system now.  People who keep their individuality
are nuisance to the system.

I wonder what happens in the limiting case.

[toc] | [prev] | [next] | [standalone]

#23884

Julieta Shem <jshem@yaxenu.org> writes:

> Spiros Bousbouras <spibou@gmail.com> writes:
> 
>> On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
>> Dan Purgert <dan@djph.net> wrote:
>>> On 2024-01-30, Sylvia Else wrote:
>>>> This is really a rant - venting to release some of the frustration.
>>>>
>>>> I'm in the process of selling my house, and I need somewhere secure to 
>>>> hold the proceeds. I decided I'd create a account with a bank I don't 
>>>> otherwise bank with, and interact online with it using a live-DVD on a 
>>>> system that has no storage. So no risk of key loggers or other hacks. 
>>>> I'd remember the strong password, and not have it written down anywhere.
>>> 
>>> Until you don't remember it, then what?
>>> 
>>> Because let's face it, eventually we all forget the password.
>>
>> That's a very presumptuous thing to say. I have my own ways of storing and
>> retrieving passwords (which may include just my memory) and I'm confident
>> they are secure and reliable enough. So don't include me in your "we".
>>
>> I share Sylvia's frustration and it's not just with banks.
> 
> I share Sylvia's frustration as well.  It's not just with banks.  Things
> are become ever more centralized.  Centralization designs products and
> services to the average customer and business invest in shaping people
> so that if fits their business model.  Along with that new cultural
> values appear.  People seem a lot less interested in serving people.  We
> have to fit in with the system now.  People who keep their individuality
> are nuisance to the system.

From the POV of finance (see "financialization of everything",
elsewhere) employees, customers, clients and also product, tangible or
otherwise, are externalities.

> I wonder what happens in the limiting case.

The ultimate promise of the computer, from the earliest days that its
development attracted corporate money, was, "Turn it on; money comes
out".  Cryptocurrency is the closest we've come to this ideal but it's
not without problems.  Morphing everything that everybody does into a
digital transaction, to the internal mechanisms of which no one [1] has
access, gradually expunging other routines for "what everybody does",
appears to be the leading candidate.

[1] Except  for the digital priesthood within any given corporation.
    Contemporary AI is offering some promise that systems for
    extracting money from the biomass will soon be impenetrable
    even to them.


-- 
Mike Spencer                  Nova Scotia, Canada

[toc] | [prev] | [next] | [standalone]

#23894

Mike Spencer <mds@bogus.nodomain.nowhere> writes:

> Julieta Shem <jshem@yaxenu.org> writes:
>
>> Spiros Bousbouras <spibou@gmail.com> writes:
>> 
>>> On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
>>> Dan Purgert <dan@djph.net> wrote:
>>>> On 2024-01-30, Sylvia Else wrote:
>>>>> This is really a rant - venting to release some of the frustration.
>>>>>
>>>>> I'm in the process of selling my house, and I need somewhere secure to 
>>>>> hold the proceeds. I decided I'd create a account with a bank I don't 
>>>>> otherwise bank with, and interact online with it using a live-DVD on a 
>>>>> system that has no storage. So no risk of key loggers or other hacks. 
>>>>> I'd remember the strong password, and not have it written down anywhere.
>>>> 
>>>> Until you don't remember it, then what?
>>>> 
>>>> Because let's face it, eventually we all forget the password.
>>>
>>> That's a very presumptuous thing to say. I have my own ways of storing and
>>> retrieving passwords (which may include just my memory) and I'm confident
>>> they are secure and reliable enough. So don't include me in your "we".
>>>
>>> I share Sylvia's frustration and it's not just with banks.
>> 
>> I share Sylvia's frustration as well.  It's not just with banks.  Things
>> are become ever more centralized.  Centralization designs products and
>> services to the average customer and business invest in shaping people
>> so that if fits their business model.  Along with that new cultural
>> values appear.  People seem a lot less interested in serving people.  We
>> have to fit in with the system now.  People who keep their individuality
>> are nuisance to the system.
>
> From the POV of finance (see "financialization of everything",
> elsewhere) employees, customers, clients and also product, tangible or
> otherwise, are externalities.

That's a paragraph to the expert.  I had to read on ``financialization
of everything'' and get a definition of externality.  But, okay, I
understand the connection now.  If customers and products are
externalities, then I think we are in agreement---businesses are not
really interested in what they're doing, which explains why so many of
them try various things until they finally ``succeeed''.  It doesn't
really matter how they get there.

>> I wonder what happens in the limiting case.
>
> The ultimate promise of the computer, from the earliest days that its
> development attracted corporate money, was, "Turn it on; money comes
> out".  Cryptocurrency is the closest we've come to this ideal but it's
> not without problems.  Morphing everything that everybody does into a
> digital transaction, to the internal mechanisms of which no one [1] has
> access, gradually expunging other routines for "what everybody does",
> appears to be the leading candidate.

You might be quite right.

[toc] | [prev] | [next] | [standalone]

#23891

On 2024-01-30, Spiros Bousbouras wrote:
> On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
> Dan Purgert <dan@djph.net> wrote:
>> On 2024-01-30, Sylvia Else wrote:
>> > This is really a rant - venting to release some of the frustration.
>> >
>> > I'm in the process of selling my house, and I need somewhere secure to 
>> > hold the proceeds. I decided I'd create a account with a bank I don't 
>> > otherwise bank with, and interact online with it using a live-DVD on a 
>> > system that has no storage. So no risk of key loggers or other hacks. 
>> > I'd remember the strong password, and not have it written down anywhere.
>> 
>> Until you don't remember it, then what?
>> 
>> Because let's face it, eventually we all forget the password.
>
> That's a very presumptuous thing to say. I have my own ways of storing and
> retrieving passwords (which may include just my memory) and I'm confident
> they are secure and reliable enough. So don't include me in your "we".

So if I was to sit you down at any freshly installed PC of your choice,
you could log-in to *any* random service to which you have a
username/password combination *from memory* ?

Because if there is even a single service to which the truthful answer
(which, admittedly I will never know; because this is Usenet, and you
can vehemently deny it to your last post) is "well, actually, I'd
have to use [password-tool-of-choice] for that site"; then you are
solidly in the group of "people who have forgotten the password".


-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860

[toc] | [prev] | [next] | [standalone]

#23892

On 31-Jan-24 10:10 pm, Dan Purgert wrote:
> On 2024-01-30, Spiros Bousbouras wrote:
>> On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
>> Dan Purgert <dan@djph.net> wrote:
>>> On 2024-01-30, Sylvia Else wrote:
>>>> This is really a rant - venting to release some of the frustration.
>>>>
>>>> I'm in the process of selling my house, and I need somewhere secure to
>>>> hold the proceeds. I decided I'd create a account with a bank I don't
>>>> otherwise bank with, and interact online with it using a live-DVD on a
>>>> system that has no storage. So no risk of key loggers or other hacks.
>>>> I'd remember the strong password, and not have it written down anywhere.
>>>
>>> Until you don't remember it, then what?
>>>
>>> Because let's face it, eventually we all forget the password.
>>
>> That's a very presumptuous thing to say. I have my own ways of storing and
>> retrieving passwords (which may include just my memory) and I'm confident
>> they are secure and reliable enough. So don't include me in your "we".
> 
> So if I was to sit you down at any freshly installed PC of your choice,
> you could log-in to *any* random service to which you have a
> username/password combination *from memory* ?
> 
> Because if there is even a single service to which the truthful answer
> (which, admittedly I will never know; because this is Usenet, and you
> can vehemently deny it to your last post) is "well, actually, I'd
> have to use [password-tool-of-choice] for that site"; then you are
> solidly in the group of "people who have forgotten the password".
> 
> 
Just need to remember the one username and password for site where the 
backup copy of the encrypted password database is stored, and the 
passphrase to decrypt that database. Not that hard.

Sylvia.

[toc] | [prev] | [next] | [standalone]

#23895

On 2024-01-31, Sylvia Else wrote:
> On 31-Jan-24 10:10 pm, Dan Purgert wrote:
>> On 2024-01-30, Spiros Bousbouras wrote:
>>> On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
>>> Dan Purgert <dan@djph.net> wrote:
>>>> On 2024-01-30, Sylvia Else wrote:
>>>>> This is really a rant - venting to release some of the frustration.
>>>>>
>>>>> I'm in the process of selling my house, and I need somewhere secure to
>>>>> hold the proceeds. I decided I'd create a account with a bank I don't
>>>>> otherwise bank with, and interact online with it using a live-DVD on a
>>>>> system that has no storage. So no risk of key loggers or other hacks.
>>>>> I'd remember the strong password, and not have it written down anywhere.
>>>>
>>>> Until you don't remember it, then what?
>>>>
>>>> Because let's face it, eventually we all forget the password.
>>>
>>> That's a very presumptuous thing to say. I have my own ways of storing and
>>> retrieving passwords (which may include just my memory) and I'm confident
>>> they are secure and reliable enough. So don't include me in your "we".
>> 
>> So if I was to sit you down at any freshly installed PC of your choice,
>> you could log-in to *any* random service to which you have a
>> username/password combination *from memory* ?
>> 
>> Because if there is even a single service to which the truthful answer
>> (which, admittedly I will never know; because this is Usenet, and you
>> can vehemently deny it to your last post) is "well, actually, I'd
>> have to use [password-tool-of-choice] for that site"; then you are
>> solidly in the group of "people who have forgotten the password".
>> 
>> 
> Just need to remember the one username and password for site where the 
> backup copy of the encrypted password database is stored, and the 
> passphrase to decrypt that database. Not that hard.

You might want to re-read what was written.



-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860

[toc] | [prev] | [next] | [standalone]

#23893

On Wed, 31 Jan 2024 11:10:34 -0000 (UTC)
Dan Purgert <dan@djph.net> wrote:
> On 2024-01-30, Spiros Bousbouras wrote:
> > On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
> > Dan Purgert <dan@djph.net> wrote:
> >> On 2024-01-30, Sylvia Else wrote:
> >> > This is really a rant - venting to release some of the frustration.
> >> >
> >> > I'm in the process of selling my house, and I need somewhere secure to 
> >> > hold the proceeds. I decided I'd create a account with a bank I don't 
> >> > otherwise bank with, and interact online with it using a live-DVD on a 
> >> > system that has no storage. So no risk of key loggers or other hacks. 
> >> > I'd remember the strong password, and not have it written down anywhere.
> >> 
> >> Until you don't remember it, then what?
> >> 
> >> Because let's face it, eventually we all forget the password.
> >
> > That's a very presumptuous thing to say. I have my own ways of storing and
> > retrieving passwords (which may include just my memory) and I'm confident
> > they are secure and reliable enough. So don't include me in your "we".
> 
> So if I was to sit you down at any freshly installed PC of your choice,
> you could log-in to *any* random service to which you have a
> username/password combination *from memory* ?

No. I will note in passing that even a yes answer would not necessarily
be unrealistic. It depends on how many online accounts one has. Someone
may only have an email online account and nothing more so would only
need to remember one password.

> Because if there is even a single service to which the truthful answer
> (which, admittedly I will never know; because this is Usenet, and you
> can vehemently deny it to your last post) is "well, actually, I'd
> have to use [password-tool-of-choice] for that site"; then you are
> solidly in the group of "people who have forgotten the password".

No , I am in the group of people who never memorised the password. I have
sites for which I have memorised a password and for those I don't worry
about forgetting it (unless I go senile but then I may forget many more
things so it becomes a more general problem). And I have sites for which
I made no effort to memorise the password and I have other ways of retrieving
it. And I also have sites for which I made a decision that I wasn't going to
use them again and eventually forgot the password. But I considered those
examples irrelevant to the discussion.

But my main point was that I do not want any help from the site in retrieving
forgotten or lost passwords because I often find that the method offered
reduces security and I resent the fact that sites do not offer the
possibility to turn off such methods.

In any case , I see now that I read in your post more than what you intended.
You said  "then what?"  and I interpreted that as suggesting that we all need
help from the website in retrieving passwords and that's what I found
especially presumptuous.

-- 
I am writing this mail to you with serious tears in my eyes and great
sorrow in my heart
  An email offering me 30% of $7,200,200

[toc] | [prev] | [next] | [standalone]

#23896

On 2024-01-31, Spiros Bousbouras wrote:
> On Wed, 31 Jan 2024 11:10:34 -0000 (UTC)
> Dan Purgert <dan@djph.net> wrote:
>> On 2024-01-30, Spiros Bousbouras wrote:
>> > On Tue, 30 Jan 2024 10:39:28 -0000 (UTC)
>> > Dan Purgert <dan@djph.net> wrote:
>> >> On 2024-01-30, Sylvia Else wrote:
>> >> > This is really a rant - venting to release some of the frustration.
>> >> >
>> >> > I'm in the process of selling my house, and I need somewhere secure to 
>> >> > hold the proceeds. I decided I'd create a account with a bank I don't 
>> >> > otherwise bank with, and interact online with it using a live-DVD on a 
>> >> > system that has no storage. So no risk of key loggers or other hacks. 
>> >> > I'd remember the strong password, and not have it written down anywhere.
>> >> 
>> >> Until you don't remember it, then what?
>> >> 
>> >> Because let's face it, eventually we all forget the password.
>> >
>> > That's a very presumptuous thing to say. I have my own ways of storing and
>> > retrieving passwords (which may include just my memory) and I'm confident
>> > they are secure and reliable enough. So don't include me in your "we".
>> 
>> So if I was to sit you down at any freshly installed PC of your choice,
>> you could log-in to *any* random service to which you have a
>> username/password combination *from memory* ?
>
> No. I will note in passing that even a yes answer would not necessarily
> be unrealistic. It depends on how many online accounts one has. Someone
> may only have an email online account and nothing more so would only
> need to remember one password.
>
>> Because if there is even a single service to which the truthful answer
>> (which, admittedly I will never know; because this is Usenet, and you
>> can vehemently deny it to your last post) is "well, actually, I'd
>> have to use [password-tool-of-choice] for that site"; then you are
>> solidly in the group of "people who have forgotten the password".
>
> No , I am in the group of people who never memorised the password. 
> [...]
> In any case , I see now that I read in your post more than what you
> intended. You said  "then what?"  and I interpreted that as suggesting
> that we all need help from the website in retrieving passwords and
> that's what I found especially presumptuous.

I actually figured you were taking issue with the second line; since
it's the more explicit/direct statement that "everyone forgets the
password".

For a bank or other "very public institution that is generally very easy
to access", I can completely agree that "look, if/when you forget your
web-access password, come to the nearest branch" is (probably) a better
solution than a "forgot password" link and answering a couple of
questions about my dog.

But then, what about services that aren't "very public institutions that
are generally very easy to access" (Netflix / Amazon / Google / CC
Company / etc.)?

What would a viable "general" solution be?  Call them?  Email?  Too bad,
create a new account?

-- 
|_|O|_| 
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860

[toc] | [prev] | [next] | [standalone]

#23897

On Thu, 1 Feb 2024 15:48:43 -0000 (UTC)
Dan Purgert <dan@djph.net> wrote:
> On 2024-01-31, Spiros Bousbouras wrote:
> > No , I am in the group of people who never memorised the password. 
> > [...]
> > In any case , I see now that I read in your post more than what you
> > intended. You said  "then what?"  and I interpreted that as suggesting
> > that we all need help from the website in retrieving passwords and
> > that's what I found especially presumptuous.
> 
> I actually figured you were taking issue with the second line; since
> it's the more explicit/direct statement that "everyone forgets the
> password".
> 
> For a bank or other "very public institution that is generally very easy
> to access", I can completely agree that "look, if/when you forget your
> web-access password, come to the nearest branch" is (probably) a better
> solution than a "forgot password" link and answering a couple of
> questions about my dog.

Yes , as long as the reminder option is safe enough (like personally go to
a building with ID) , I have no problem with it.

> But then, what about services that aren't "very public institutions that
> are generally very easy to access" (Netflix / Amazon / Google / CC
> Company / etc.)?
> 
> What would a viable "general" solution be?  Call them?  Email?  Too bad,
> create a new account?

I have already indicated that in  <L2PlxvxSHEVJx+H9A@bongo-ra.co> : "Very
often I have wished for sites to offer the option when creating an account to
disable any password reminders" .So when logged in , one would have access to
an account boolean setting which would be enable/disable password reminders.
If the user chooses "disable" and then forgets (or loses or whatever) their
password then that's it , they are locked out of their account forever and
ever. The site would offer appropriate warnings to that effect but ultimately
the user should have the option to disable reminders. If the user decides to
enable them , I don't have a view which would be the best method and I
haven't given it much thought because I would always choose to disable them.
(In a similar vein , I always choose for the site *not* to store credit card
information. How faithfully they implement this , I have no way of knowing)

-- 
Every theatre is an insane asylum, but an opera theatre is the
ward for the incurables.
  Franz Schalk

[toc] | [prev] | [next] | [standalone]

#23878

Sylvia Else <sylvia@email.invalid> wrote:
> This is really a rant - venting to release some of the frustration.
> 
> I'm in the process of selling my house, and I need somewhere secure to 
> hold the proceeds. I decided I'd create a account with a bank I don't 
> otherwise bank with, and interact online with it using a live-DVD on a 
> system that has no storage. So no risk of key loggers or other hacks. 
> I'd remember the strong password, and not have it written down anywhere.
> 
> Except that the banks insist on having a password reset option, 
> validated using an SMS. This undermines my attempts at ensuring that the 
> account remains secure.

True in a general security sense.

> I've tried telling banks (and other entities, indeed) that I don't want 
> the ability to reset the password. No go, because such an option is not 
> implemented in their systems.

Your request is the one odd one in a sea of others that all /rely/ on 
the ability to reset passwords, and as banks are, well, /banks/ and not 
security researchers, they simply will not understand why you want to 
be "so different from everyone" -- and the result is a "can't do that" 
answer (because, likely, they really can't do that).

> Telcos in Australia have some quite strict rules regarding transfer of 
> mobile phone numbers, but the rules still get broken, and frauds 
> committed thereby.

The US /supposedly/ has rules to prevent it as well, but an 'insider' 
can always work around the rules, and so it happens here too.

> If someone perpetrated a fraud as a consequence of the SMS password 
> reset, I'd have a good case that it was a fraud against the bank, rather 
> than against me, and that it was therefore the bank's loss.
> 
> Still, I'd rather not have to deal with it.

Agreed.

> I looked at having a SecurID® device as 2FA. But guess what? It can be 
> used to reset the password.
> 
> So I'm tearing my hair out. Why do banks have this huge blind-spot when 
> it comes to resetting passwords?

Because banks are not "security researchers" and are instead simply 
following the "best practices playbook" (which is also not written by 
"security researchers" but may be written by "govt.  regulators").  And 
if the playbook says "provide abililty to reset password with 2FA 
security" and a separate chapter lists "SMS" as a valid 2FA method, 
then they are "protected" (which in this environment means protected 
from a charge of negligence for not following "best practices").  But 
they are not in the business of "protecting" you -- they are in the 
business of "protecting" themselves from negligence charges.  The 
amount of "protection" you receive as a secondary result of them 
protecting themselves is what you end up seeing as your protection.

[toc] | [prev] | [next] | [standalone]

#23881

Sylvia Else <sylvia@email.invalid> wrote:
> This is really a rant - venting to release some of the frustration.
> 
> I'm in the process of selling my house, and I need somewhere secure to 
> hold the proceeds. I decided I'd create a account with a bank I don't 
> otherwise bank with, and interact online with it using a live-DVD on a 
> system that has no storage. So no risk of key loggers or other hacks.

Although probably a higher risk of running software that's missing
the latest security bug fixes, and therefore _might_ be vulnerable
to snooping on the encrypted data, or page content in web browsers
via Javascript. I suppose you could run updates each time after
booting though.

> Except that the banks insist on having a password reset option, 
> validated using an SMS. This undermines my attempts at ensuring that the 
> account remains secure.

Yes the SMS requirement annoys me too, although for different
reasons related to me not frequently using a mobile at all. But I
only have online banking enabled for accounts from which I want to
make payments for online purchases, where I transfer the required
amount into them before-hand. Otherwise money is kept in accounts
that don't have online banking and I don't have to provide a mobile
phone number for them, although I believe it is an option for
verification with phone banking.

> I've tried telling banks (and other entities, indeed) that I don't want 
> the ability to reset the password. No go, because such an option is not 
> implemented in their systems.
> 
> Telcos in Australia have some quite strict rules regarding transfer of 
> mobile phone numbers, but the rules still get broken, and frauds 
> committed thereby.

I wonder if there's an equivalent to 127.0.0.1 for mobile phone
numbers, where you _know_ they can't call anyone with that number
(even yourself)? CBA requires the SMS code while setting up and
using their online banking funtions too though (rather annoying for
me because I keep my mobile phone in the car all the time).

> If someone perpetrated a fraud as a consequence of the SMS password 
> reset, I'd have a good case that it was a fraud against the bank, rather 
> than against me, and that it was therefore the bank's loss.
> 
> Still, I'd rather not have to deal with it.

Yes I've had bank staff tell me about similar protections
when I say I don't want online banking, but it ignores the
immediate difficulty of finding that all your money's gone and
then having to wait penniless until the bank gets around to looking
into it (and hoping they're competent at doing so).

-- 
__          __
#_ < |\| |< _#  | Note: I won't see posts made from Google Groups |

[toc] | [prev] | [next] | [standalone]

#23882

Just as an aside, when I created my online account for the bank, it told 
me my user id, expressed as two four digit groups separated by a space.

But will it accept the user id in that format? No, of course not.

Sylvia.

[toc] | [prev] | [next] | [standalone]

Page 1 of 2  [1] 2  Next page →

Back to top | Article view | comp.misc

csiph-web