Passwords & Pin Security

Back to Hints and Tips Index                                             Back to Main Index

The need for passwords and PINs is not going to recede!

In fact it is likely to increase, particularly as we undertake more and more of our transactions electronically.

Internet banking generally requires users to have an Access ID number plus a password/PIN. Banks are now moving to a third level of authentication which requires a physical security token of some sort for e-banking.

As an example, the Bendigo Bank’s e-banking Logon screen looks like this:

The Bendigo Bank has been moving towards an authentication Key for some time and one suspects that it is only a matter of time before financial institutions mandate the use of this third level of authentication. This may be required, not only to log on to the internet banking site but also to make payments from it.

In Bendigo’s case they have two types of token. The cheaper option ($16.50) is a small one touch token that you could carry with your keys; the token has a single button, which when pressed, provides a one-time 6 digit authentication key that needs to be entered via the keyboard when logging on and/or when making a payment. These tokens operate on Greenwich Mean time so can be used anywhere in the world.

Bendigo’s Professional security token ($99) has a keypad that provides another level of security as a separate PIN must be entered into the token’s keypad before the Authentication Key is displayed:

Security tokens are also used by organisations that allow dial-in access to their networks for employees.

TAFE Tasmania is currently investigating the use of physical security tokens for use by staff who need to access their web portal from external locations for secure transactions relating to students; for example, a TAFE teacher may want to enter assessment information while conducting a workplace assessment of a student.

Creating and storing passwords and PINs

The following hints and tips might be useful when considering the selection, recording and protection of passwords and PINs:

• Do not chose passwords or PINS that relate to any of the following:

your name or nickname, the name of your partner, your children, family pets or favourite sporting team

your year of birth or the first or last 4 digits of telephone numbers associated with you

your street address or postcode

easily guessed combinations of letters or numbers such as 1234, 5555, ABCD, 123XYZ.

• Make sure passwords are at least 6 to 8 characters long and include both digits and alpha characters (in both lower and upper case where the application is case sensitive) and ideally without recognisable words or part words. Most of the password cracking programs that can be downloaded from the net are limited to 3 to 6 character long passwords and will not crack passwords that contain non-alphanumeric characters. to obtain more sophisticated applications or solutions is expensive and may require you to prove, for example, that you have legitimate rights to the file you are seeking to access.

• Change your passwords regularly (even if your system or applications does not mandate it) and make sure your password is significantly different each time (even if your system/application does not prevent similar passwords being used).

• Try and commit passwords and PINs to memory – admittedly difficult as we get older and there are more of them to remember!

• Do not disclose your password/PIN to anyone including family and colleagues.

• Do not write Passwords or PINs on or near the thing they relate to, even in disguised form. Placing your computer login password on a Post-it note under your keyboard (something that I have seen on more than one occasion) is very unwise!

• If you must record a password or PIN somewhere, disguise it carefully and do not keep it with material that could easily be associated with the use of the password or PIN; it would be unwise to record your Internet banking PIN on a "user guide" for e-banking that you had in your top drawer at work for example.

• If you do record your PIN or a password do not do the following:

record PINs within a series of numbers where any are marked, circled or highlighted in any way

record PINs within other information that makes it stand out from the context of the rest of the material – for example recording a 4 number PIN within a list of telephone numbers

record a PIN in reverse order

record a PIN in an easily understood code – for example using the letters on a telephone keypad to represent a numeric PIN or the numbers to represent an alpha password

write a password on the back of your hand (something I saw while writing this article!).

Be careful when entering a password or PIN that no one can see what you are typing.

Most of these hints and tips are common sense yet it is amazing how often they are ignored.

Most people are more blasé about PIN and password security than they should be. As credit card and e-banking fraud become more prevalent, financial institutions are likely to place a higher burden of proof on customers to prove that they did not compromise security before they cover loss of funds from fraudulent use of cards, ATMs, e-banking accounts etc.

It is also likely that in the workplace, employers will take an increasing dim view of incorrect accessing of confidential material where that has been shown to have resulted from poor security associated with the use of a password.

Back to Hints and Tips Index                                             Back to Main Index