Those password Nazis and the privacy nuts at work

Please stop. First let users decide if they want a password, and let them choose it

May 03, 2016 02:37 am | Updated 02:37 am IST

It all started innocuously enough a few years ago. One of the larger mutual fund houses sent me an e-mailed statement with “Account Statement for Folio No. 123456” as the “Subject” line. After a whole lot of unnecessary verbiage it ended by saying, “for security reasons this statement is protected by a password which is your folio number”.

In broad terms, password security depends on “what you know” and “no one else knows or can guess”. A mail containing the password is thus the least secure of all. This state of innocence did not last long, of course, and we have moved on to more and more bizarre situations.

One of my banks insists on a “User Name” which is at least X characters long, of which at least Y should be numeric. No one has told them that the user name only has to be unique. It has no security value.

The largest private sector bank has, in addition to a password, multiple levels of security for unusual transactions. There are many ‘secret’ questions ranging from my mother’s maiden name to the city where I went to college. In reality, the true answers are well- known to people who know me and easy for others to find. I could prescribe different fake answers to all questions, but then I would have to remember them. Fortunately the bank’s system is quite happy to accept “Cherry” as the common answer to all secret questions. The largest public sector bank has a password reset system that generates a new password, which is needed, but also a new user name, which is not needed, and mails it to me. The staff then calls up to say that I should ignore the new user name and log in using the old one.

Mutual funds and credit card companies are the most painful. They never asked me if I want my e-mailed statements secured, but insist on protecting them using passwords set unilaterally by their “digital security challenged” minions.

These enforced passwords are generally combinations of my PAN, my name, my date of birth and such. Now thanks to KYC norms dictated by SEBI or RBI or whoever, call centres of various services use these same things to verify that I am me when I call. As a result, thousands of people have legitimate access to my PAN, my bank account number, my cell phone number, my e-mail address and so on. God knows how many more thousands “know” these by illegitimate access. I don’t know how to bring home to them that a password concocted using any of these well-known and inherently insecure data items or their combinations is totally unsafe. What’s more, making some elements of an insecure password upper case and some elements lower case does not make it safer. The smarter they think they are being, the more painful they make it for me without making the document anymore secure from crooks.

A new inductee to the password dictatorship is the Income Tax Department. They seem to feel that my PAN in lower case combined with my date of birth in DDMMYYYY format is a secret known only to them and to me.

The current champion in the moronic password sweepstakes, however, must be India’s largest telecom service provider. They have unilaterally created a secret password for each of my cell phone numbers. This work of genius is a four digit alpha-numeric combination. It remains the same from month to month. The password-protected bill arrives by e-mail one moment.

And, within the blink of an eye the next missive arrives, unprotected, “We just sent your bill for the month of March 2016. The password for opening it is “u6t7”. Back to square one. Unilaterally set password. Revealed to whoever has access to the encrypted statement. To all such password Nazis I would like to say, “Please stop”. First let me decide if I want stuff encrypted. If yes, let me pick my own user name. Either way, if there has to be a password let me choose it.

Here, I must register a strong protest against the many who do let me set a password but spring a surprise after I create one by coming out with conditions. These generally prescribe the inclusion of X special characters and Y numeric ones.

No harm done, but do lay it out upfront. I owe gratitude to the few who not only let me set my own user name and password but also provide a password strength meter. This shows one how secure a password is and enables one to make it more so.

Post Script: As I finish this, I have a mail from my stockbroker cheerfully informing me I can now access my account and carry out all transactions by using my PAN as the password. Brilliant, what really can go wrong?

intops2@gmail.com

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.