I teach on the Foundation Degree in IT Security. As you can imagine, a lot of my time is spent researching and looking into issues relating to IT security. As a result of teaching on this course, I have reassessed my own use of passwords, and most of them are now unique in a format that only I would remember (I hope!).
Today I have tried to register for online access to a banking institution. I was sent a secure password, in a separate letter to my account number. The secure password was hidden by a peel off sticker, so that it couldn't be read through the envelope. Next to the sticker, the letter said 'if you think anyone else has tried to remove the strip, please call us straight away'. Clearly this organisation takes security very seriously. All good so far.
I log onto the website using a variety of personal information and my new account number. I'm asked for several characters from the sticky strip, and then I'm taken straight to a screen to change my password. Here's where things begin to go downhill.
I try my usual method of creating a unique password, using an algorithm I've invented which can work with any website, but the resulting password is too long. I can see that I can only use 8 characters for this password - that seems a little short.
I try a shortened version of the algorithm, now I'm told that I need to have a capital letter - that would normally come later in my method, so I have to do a rethink.
I try again, this time, putting my capital letter earlier in the algorithm, but now I get a message saying I need a special character. No problem, I put a special character in, but the one I have chosen is not allowed. Rethink again.
After all this messing about, my next attempt says that the confirmation password doesn't match. I'm not surprised - I've got myself in a complete knot by this stage.
I retype both the password and confirmation, but this time i'm told that the minimum number of numeric characters hasn't been met. Ok, I'm getting fed up now. I take a breather to gather my thoughts.
A few minutes later I give it another shot, but now I've been timed out and have to start the whole process again. Finally, I pick a short, random jumble of characters and I'm allowed in.
I'm then required to submit answers to 5 (yes, 5!) security questions digging into my deep and distant past - Mother's middle name, Grandfather's job, first house, first car etc etc, and then I'm asked for 3 phone numbers that they can contact me on.
Finally, I feel I'm getting somewhere, and I'm asked to choose a picture and a welcome phrase so I know when I've logged in that it really is the site I intended to be on, and not a spoof website. This part I like, and I've not seen before in this format, it would certainly be reassuring if I clicked on a link from an email to check my account (something I would never normally do, by the way!).
This example begs the question: has security gone too far, or is this how it should be in the age of cyber-crime? In addition, why didn't the website give me some examples of what was required in the password? It wasn't until after I'd sorted it out that I realised such guidance was on the letter I received in the post. One thing's for sure, I feel fairly confident that no-one will ever break into my account, probably not even me, I doubt I'll ever be able to remember all those details again!!
Endnote: The precise details of what the website required have been changed in the interest of security ;)