Yeah, it’s better than nothing.

Still, the on-screen keyboard can be easily defeated by the easy-to-perform “look the user over the shoulder” hack. So I’d say it’s kinda double edged sword, and does not compare to he proper two factor which defeats both key-logers, over the shoulder snoopers.

Luke – good call you’re right. I read two factor and thought two password. I do think that the HSBC two password idea isn’t a bad one. Like you said, it isn’t as good as some kind of always changing number on a keycard or a dongle or something, but it does defeat keyloggers from spyware/trojans even if it doesn’t protect you from idiot users.

Oh, I forget at the “almost two factor” methods. Usually two factor is defined as something you know, and something you have. It’s more secure because the attacker now has to steal or social-engineer the dongle/card/fingerprint whatever out of the victim. And it works on psychological level too – a clueless user may think nothing of telling someone their password over the phone, but letting someone borrow their RSA dongle, Employee ID, Smart Card or something like that is a different matter.

People tend to be protective of security “items” such as keys and key cards, but wantonly reckless with passwords. This is one of the reasons why two factor works – especially if it’s in a form of a dongle that generates random codes every few seconds.

I don’t really consider that “type the second password on the on-screen keyboard” as a two factor, because it’s still “something you know”.

HSBC has two factor authentication. I haven’t asked about a dongle, but by default you have a password you type and a password you click onto a visual keyboard. That way key loggers can’t get you. The passwords must be different, and they have some requirements that the password isn’t too weak, but they do cap the length at something unreasonably low.

Well, the case of banks is actually an exception in Brazil. All of the big ones use two factors, usually two different passwords.

Mine have a password protection access that can’t be typed using the keyboard. You must click the virtual keys and the password can have any character.

Then, for all important transactions, you must have a card that matches numbers to letters. So the bank web site will show a random number and you must type the correspondent letters contained in your card.

I always say that banks should have two factor authentication. Or at least offer it as an option for the customers who are willing to pay the cost of the fucking dongle.

How many banks actually implement two factor? Precious few. I actually can’t name one that would do it off the top of my head.

The issue of password restrictions that force us to use *weak* passwords has always bugged me. It’s quite disturbing that there doesn’t seem to be any logical reason even after you gave it so much thought. /boggle

It also baffles me why bank and credit card sites, which are supposed to be the most secure (right?), are the ones most likely to have silly restrictions that disallow long passwords or special character passwords or passphrases. What is it that these financial institutes are doing that gives rise to these restrictions? Maybe the same person/team is responsible for the user authentication implementation on all these financial sites?

@gooli – ok, good point. Still, even if your password must be recoverable, you can use a 2 way hash, or some form of encryption. Or as you said, base64.

@vacri – I actually saw the restriction on the 3 letter searches on two other forums that I sometimes visit. It’s bizarre because there are tons of acronyms and 3 letter words one might want to search for.

@Ricardo – I guess tats true. But not hashing, using a two way hash and sending passwords via email is just not very secure. I’m at least hoping that companies like Verizon have better security policies in place. The way you should handle restoring lost password should by by generating a one time URL, sending it to the user via his registered email, and then asking him to respond to the security question to reset the password.

Well, in my experience, I’ve seen a lot of web sites/programs that actually don’t hash their password. Maybe it’s only the lack of experience in Brazil but I don’t think so. Also, these “programmers” that don’t use hash, limit the size in the database to store the password. Varchar from 10 to 20 is common in the cases I’ve seen

People (I mean companies) do all kinds of weird stuff with the password. It is sent by e-mail when requested, it appears in a change password page, etc. Even if in these cases the password is being hashed, I wouldn’t recommend a two-way hash either.