Do strong passwords and virtual keyboards fit the bill?
May 17th, 2007 | by mbhunter |Dimes to Dollars posted about the recent changes to the MyPay login procedure. MyPay is the online interface that federal employee types use to access pay stubs, make W-2 changes, get tax forms, etc. The Defense Finance and Accounting Service put in a virtual keyboard to replace the normal keyboard interface for entering your password.
ING Direct’s interface is similar and pretty easy to use. You can either click on the buttons or type in randomly-selected letters that are located in the boxes alongside the numbers. The new MyPay interface is a bugger, though. There is no easy type-in feature as there is with the ING Direct one, and the virtual keyboard gets scrambled every time you log in again, so you’re hunting for the numbers and letters each time among three dozen buttons!
I understand what these virtual keyboard aim to do. Entering a password on one of these defeats keystroke-logging spyware because either (a) no keys are pressed or (b) the keys that are pressed are not the actual password, and will not be the same the next time the user logs in. But these are not foolproof either. It’s possible to write a mouse-click logger and tie it to either a known pattern or tie it with an image capture of the screen to deduce the password. So these virtual keyboard will reduce the likelihood of someone swiping or intercepting your password, but not eliminate it. It’s your other online activities and precautions that reduce the likelihood of having this malicious software installed in the first place.
On a related note, do highly-restrictive rules on password creation (like “two letters, two numbers, two uppercase, two symbols, 15 characters minimum, no dictionary words”) make them that much more secure, or does it just encourage people to create “keyboard art” for their passwords with easily remembered patterns? (If I didn’t see an IT security training video that had a “strong” password that was created just by going up and down the left side of the keyboard, hitting the shift key every once in a while, I wouldn’t have thought it was that prevalent.) I would think that password crackers would start including these kinds of patterns in addition to birthdays and Star Trek lines, thereby making them a lot weaker.
But in any case, virtual keyboards are definitely harder to use than a real keyboard where you can rely on muscle memory. Do they detract from the customer experience enough to make people look elsewhere? Or are they really not that bad?
What do you think? Are these virtual keyboards merely annoying or a necessary evil for your online finance needs?
7 Responses to “Do strong passwords and virtual keyboards fit the bill?”
By KMC on May 17, 2007 | Reply
I like these types of things. It’s at least an improvement. I agree, it’s a pain to locate the jumbled letters and numbers, but it really only takes a few seconds more.
I think, however, a more immediate concern is strong passwords. I read an article about how long it takes to crack various lengths/types of passwords and was shocked. I’ve converted to strong passwords when I can. What that means, though, is I have to create and maintain a password file. I then keep it on a memory stick. That’s the best I could think of.
By Chris on May 17, 2007 | Reply
I’m a bit annoyed by it, and it keeps me from signing in to my ING account regularly. It’s not really the virtual number pad or the user name and password, its the random questions they also ask you (it says you can ‘register’ the computer to bypass this, but it doesn’t work)…some 12 questions you filled out when you opened the account and it asks you a couple every time you sign in. What was my first cats name again? Mimzy? Or did I spell it Mimsy, or mimsy, or mimzy?
By dimes on May 17, 2007 | Reply
I feel that the multi-character type passwords make you tend to overuse a password again and again (I can’t tell you how many times I used to use the word “A$$h0le” until they changed the character minimum to eight) just so you have a hope of remembering it, because something like Kf8j#pL6 is generally too free of context to be memorable.
They’re less annoying than those awful security questions “The name of the city where your paternal grandmother was conceived?” “What was the middle name of your Maid of Honor?” Those things I absolutely hate. Like Chris said, I can never remember if I entered “Rogers,” “Mrs. Rogers” or “Carol Rogers” for the name of my second grade teacher.
By mbhunter on May 18, 2007 | Reply
Thanks for your comments!
@Chris: I registered my computer. Perhaps it’s a security setting? Or you’re not accepting cookies?
@Dimes: I laughed out loud at your comment. But what about just adding an exclamation point at the end to get it up to 8 characters?
By Bryan on May 18, 2007 | Reply
I support these stuffs.Strong password is really an important thing to protect our hard earned assets from clever spammers and hackers.Whereas jumbled up keyboards are not that tough to use.
@Dimes your comment really makes me laugh:)
By Shadox on May 20, 2007 | Reply
I CLOSED my ING Direct account because I was so annoyed by their supposedly strong security features. Bank of America, in my opinion, has much more powerful security – identifying your computer and protecting you against phishing – without being annoying. So, security can be imporved without alienating customers.
In addition strong passwords are a nightmare. At work they have started making us change our passwords every three months in addition to being forced to use 8 character passwords. What did it get them? Now I can’t remember my password and I put a sticky note with my password on my laptop, just so I can remember my password… that is much less secure in my opinion than letting me use my old 6 char. password…
You can only annoy users so much before you start to get some unintended consequences that only hurt security in the long run.
By Patrick on May 21, 2007 | Reply
I have to remember about 10 “strong” passwords for work (I work at 2 locations with numerous on-line systems), and I make sure my personal passwords are also “strong.” When I have to change the passwords because it has been a few months, I change as many as possible at the same time. I never get them all, but I try!
It is a pain, and worthless if somehow keylogger software got onto your computer. (I scan my computer frequently, but you never know about the workplace).
The virtual keyboards can prevent against your PIN being stolen, but what about the password or account #? I would rather my password or account number be secured because theives can still do damage with the account number. But I am glad to see companies improving security.