Day: July 14, 2009
It is becoming an epidemic. More banks and employers are making changes to their web applications that they think are protecting both your and their interests but in practice, this is actually doing quite the opposite.
If your bank or employer is a well-known business, it is likely a frequent target for phishing attacks. More people are relying on Google searches and other websites that generate “tiny” URLs (long URLs are redirected through a third party with a short URL that can easily be typed in a chat client, email, etc.). This means that people aren’t using bookmarks to access their banks or companies which means if a website looks familiar to you, you aren’t going to pay close attention to the URL in your browser’s address bar. On the same token, it is easy for fat fingers to slightly mistype a URL that you know by heart so you can easily go to a website different than what you intended and will fall victim to a phishing attack. More and more banks and employers are becoming paperless so any interaction that is requested of the user comes from email. An email has many ways to fool the user into believing that it and the links provided in the email are authentic.
How are my banks and my employer putting my security (and theirs) at risk?
The reason is that they are implementing various mechanisms to prevent your browser from saving and recalling stored user names and passwords. This can be achieved by either adding autocomplete=”off” to the input fields or to the form that wraps these inputs. Another mechanism that is becoming more prevalent is the technique of asking for your user name in one screen and then your password in a second screen after the first screen is submitted. These mechanisms break the password storage and retrieval features of your browser.
Why does denying password saving put us at risk?
There are two reasons why this is very bad. Both reasons come from human error:
- Requiring that a human type in the user name and password means that the human must concentrate on typing in the data rather than analyzing whether the website is authentic. If the browser populated the user name and password fields, you know immediately that the website is the correct one. If the fields are blank and the user knows that the password should have been recalled by the browser’s saved password mechanism, the user becomes surprised and starts to question if they are visiting the correct page. If the browser never saves the password, the user no longer has a fast and accurate way to know that the website is authentic.
- Requiring that a human type in the user name and password encourages the user to have a password that is as easily memorized and typed as possible. This makes it an easier password to guess; fewer iterations to attempt before success. It may also force the user into reusing the same password for every website. Reusing passwords is bad because if one website is compromised, all other websites are wide open. If the user is conscientious about using unique passwords, they are then forced to write down the passwords and post them in an easily-accessible but also vulnerable location in their cubicle at work or desk at home where everyone in your office or everyone who visits or breaks into your home can access it.