Speaking on Deep Background, the Press Secretary whispered:
So, I end up having to do something INSECURE to remember the stupid
password. Either I have to create an insecure and "easy to remember"
password, or I have to write it down somehow. Now we are back to the root
problem, that the user's computer/user's password is now "insecure" and it
"isn't the bank's fault" when the user's password is discovered and used
without the user's permission. Well, that's BS. The bank created a policy
that can not be securely followed! There is more to maintaining a secure
password than changing it frequently. The policy has to be on that can be
effectively followed by most people!
Strip <http://www.zetetic.net/index.html> is your helper here.
I have strip. Unfortunately, I don't always have my Palm at hand when I want to login to my bank, and I didn't have it at hand the *last* time, when I had to change the password, so the new password didn't get entered into strip. But that's beside the point, using strip on a pda (to help remember passwords) is a solution that only works for some people, in some circumstances. It would be much better to have a policy that just WORKED.
jc
or a 10 dollar key fob that always had a code you could combine with your
'pin' for a password... why is a solution like RSA/ACE so difficult for
people to accept on a wide scale?
Afterall, banks charge you for checks, why not for the FOB, and make you
purchase the replacement when you lose it?
-Chris