Okay, so we have a company Visa card and as with all credit cards these days, online security is handled through a 3D Secure or Verified by Visa system – the online equivilent of ‘Chip and Pin’.
Today, upon making a purchase we had to choose a password for Verified by Visa and we could not believe the trouble we had – it seems the people responsible for building the interface have no idea about security or a basic understanding of probability.[more]
Firstly we tried a password containing just letters…
…computer says “No, you must include numbers”.
Okay we’ll let that one pass, it seems like a fair request that will indeed force us not to enter a dictionary word.
Next we tried a password that had two consectutive letters/numbers…
…computer says “No, you cannot use consecutive letters or numbers”.
Now this one seems a little crazy, if someone is trying to guess or brute force my password, then the chances of the next letter being the same as the previous one are the same as the chance of it being any other letter or number, in fact this request is actually reducing the number of possibilities.
Finally we tried a dozen or so passwords that we would be able to remember…
…computer says “No, I’m not telling you why (though I’ll use my previous excuse – consecutive passwords)”.
At this point, we were trying all kinds of combination of letters and numbers and it always found fault. What is the point in forcing someone to choose a bizarre password that they have to write down to remember? It’s about as secure as a chocolate piggy bank in the hands of my 4 year old.
It really does nullify the whole Verified by Visa concept!?