In which @Minkovsky applies for a student loan
-
After getting past the main logon page for my.gov.au, you get a second page that asks you for an answer to one of your "security" questions (you have to create at least five of those during signup). Fortunately they let you write your own security questions. Mine are
I just generate a series of derived passwords and keep them in the notes section.
-
That's quite possibly it. I don't recall the exact error - may have been something like "Password is required". Wouldn't mean anything, confusing error messages are the norm in this beast.
-
Pitching simply to state FUCK SECRET QUESTION / ANSWER PASSWORD RECOVERY SYSTEMS. I HAVE AN EMAIL FOR A REASON YOU DUMB FUCKS.
-
We have moved way beyond only using wish-it-was-two-factor for recovery.
-
My secret answer is always something like
cat* ordog†, and I choose the question completely at random. Why the fuck would I use some discoverable information about myself to make an honest answer and help someone steal my identity?*†. Obviously I don't actually literally use
catordog, but some other short word which only I know.
-
My bank has a maximum length on passwords and disallows symbols. This means that my WTDWTF account is strictly more secure than the website where I make all my financial transactions. Thanks, bank!
-
We're now at wish-it-was-one-factor. Something you know (e-mail password) or have (phone), and something everyone knows (e-mail address, favorite color, airspeed velocity of an unladen swallow...)
-
The problem is that when I actually need to use the password recovery feature I have no fucking clue what I actually put as either my question or my answer. I am of the strong opinion that websites should default to considering your email account secure, and if more security is required than that (such as a bank account) then require an actual physical procedure or don't bother.
Fuck that feature with a rake and whoever thought it was a good idea to implement it in the first place.
-
Gotta fix that some time...
careful, though...
A thing made of glass are TRWTF
-
I have no fucking clue what I actually put as either my question or my answer.
I have a little book with all my usernames, passwords and security questions written down. It can make it tricky to access some websites when I'm on vacation, but I heard that it's unhackable!
-
three characters from my password
This means one of two things:
- They have built a complex hashing setup that allows them to validate some combination of characters as well as the whole password.
- They're storing your password in plaintext. For a friggin' bank.
And I think we all know which it is.
-
Tumblr supports 2-factor using Google Authenticator on a phone or a list of one-time passwords.
My bank, like most in the US, uses a limited-length password and secret answers. Many even consider "mother's maiden name" to be secure. It's not like you can look it up in public records, people finders and Ancestry.com, right?
I can make a shitty blog and have it be more secure than my finances.
-
-
They're probably doing what Verizon's terrible router firmware does: "encrypting" the password in the browser for shitcurity raisins.
:wat.jsp:
-
I always thought that all the fancy 'security' features are there only for the psychological comfort of the masses. The systems are supposed to look secure. If you provide the customer with real security, he/she will either compromise it using stupidity or run off to the competition.
OTOH, if someone got hold of my online banking password, they could only transfer money between my two accounts - external transfers are protected with a one-use code sent via a text message to a phone number, and that cannot be changed via the online system (obviously).
-
dragging.
Not if they did something like this (screenshot from Orange Poland's top-up service):
why the flying fuck do people do this i can't even
-
It's to prevent hackers...?
-
They forgot this part:
<div style="-webkit-user-select: none;">And the part where they reimplement copying.
You have used 2% of your copy quota for this song.
This post brought to you by:
* { -webkit-user-select: initial !important; }- (1) User-agent styles (2) Page styles (3) Inline styles (4) Page important styles (4.5) Inline important styles (5) User important styles
style="margin: 0 !important; background-color: inherit !important; color: inherit !important; position: relative !important; left: 0 !important; top: 0 !important; max-height: none!important; max-width: none!important; height: auto !important; width: auto !important; visibility: visible !important; overflow: auto !important; text-indent: 0 !important; font-size: 12px !important; float: none !important; opacity: 1 !important;-webkit-transform: none !important;;-o-transform: none !important;;-moz-transform: none !important;;-ms-transform: none !important;;transform: none !important;;-webkit-filter: none !important;;-o-filter: none !important;;-moz-filter: none !important;;-ms-filter: none !important;;filter: none !important;;z-index: 2147483646 !important;display: inline-block !important; margin-left: 4px !important;"
-
More WTF-ness:
I need to name two people who will be named as contacts in relation to my application. One of them is living outside the UK, but fortunately there is an option to enter an address outside of it. Their harebrained attempts at validating that info, though...
That's how you enter postcodes in Poland you monkey!
-
It works if I put in a space instead of a dash but this is not how you format postcodes around here.
-
below £21k/yr
below £10k before 2006, £15~k before 2012.
That threshold is a wonderful way to secretly make sure you pay more interest, and ensure that your loan is actually a 30 year university tax.
-
actually a 30 year university tax
I'm surprisingly fine with that
-
below £10k before 2006, £15~k before 2012.
Is that right? I got mine in 2005 and my threshold was ~£15k.
Although I did avoid repaying it for a couple of years after hitting the threshold.
-
I think those dates are "date of repayment starting" i.e. course completion years rather than course starting years. but I could be wrong
-
Ah - that makes sense.
-
They could be hashing both the password and the secret question answers?
-
-
I know I can just focus on it and type it,
If you can do this, it is security-wise broken, keyloggers being what they are. Lloyds TSB used to have the same three-dropdown thing, but each entry was space$ + "X" or the like, so you could not just type the X to jump to it.
-
If you can do this, it is security-wise broken, keyloggers being what they are.
But if you can't do this, it is accessibility-wise broken, "human interface" software being what it is.
Life is about balance, and anyway we shouldn't be discussing client-side security and the possibility of stealing one password when their server-side security is ridiculously broken and there's the possibility of stealing thousands.
($100 says they're using 3DES or 2ROT13, not anything involving salting or hashing.)
-
But if you can't do this, it is accessibility-wise broken, "human interface" software being what it is.
Life is about balance, and anyway we shouldn't be discussing client-side security and the possibility of stealing one password when their server-side security is ridiculously broken and there's the possibility of stealing thousands.
($100 says they're using 3DES or 2ROT13, not anything involving salting or hashing.)
But if you can't do this, it is accessibility-wise broken, "human interface" software being what it is.
Life is about balance, and anyway we shouldn't be discussing client-side security and the possibility of stealing one password when their server-side security is ridiculously broken and there's the possibility of stealing thousands.
($100 says they're using 3DES or 2ROT13, not anything involving salting or hashing.)
Accessible <<<========>>> Secure. Pick at most one, although it is very easy to make things worse...
-
Pick at most one, although it is very easy to make things worse...
Lloyds TSB chose "none of the above, at all".
-
Wouldn't it be better represented as a triangle, then? With them at the lower right.
-
-
Password rules: ... maximum 16 (boo!)
Apart from being one of my favourite bugbears, I've basically said this before in a previous post that I can't find, and somebody said I shouldn't get my password security advice from a webcomic.
I guess my point is, fuck whoever said that.
Here's another one of my favourite bugbears:
-
Current rates are really amazing when you think about how it's an unsecured loan.
[emphasis mine]
These words... I don't think they mean what you think they mean. You even admitted it:
Granted you can't get rid of them in bankruptcy
From what I understand of your system, it's a zero-risk loan and the interest rate should therefore be the reserve bank's rate.
-
Quite a few security-clueless outfits do seem to go out of their way to treat password management software as some kind of security threat.
I hate that. My secret question is usually similar to yours: "What is your password?" and the answer is... my password. It's probably stored cleartext or maybe encrypted instead of one-way hashed, but if you're subverting my password manager and playing wish-it-were-two-factor games with me I already know my password is gonna get leaked. I don't re-use passwords anyway.
-
Depending in which country. In the UK, if you're earning below £21k/yr you don't have to pay anything at all. OTOH if you step over that, those payments will automatically kick in as a form of tax. Damned if you do, damned if you don't...
We do similar in Australia. The interest rate charged on the amount owed is CPI so it's effectively a zero interest loan. It's also only a fraction of the true cost of education, the rest being funded by the government. And you can choose to pay the entire amount up-front each semester for a very large (25%) discount.
-
I can make a shitty blog and have it be more secure than my finances.
Banks have been doing security very poorly for a very long time, and this hasn't changed with internet banking. The cost of poor security is for them just a cost of business. They eat and/or insure against and/or force you to eat any losses so why would they care?
The entire industry is built on inefficiency and incompetence. If the barrier to entry weren't so astronomically high they'd all be out of business tomorrow.
-
Accessible <<<========>>> Secure
You're Doing It Wrong.
Bad security is inaccessible and inconvenient. Shit like stupid password restrictions, "secret" questions and answers, wish-it-were-two-factor, on-screen keyboards, subverting password managers, etc.
Good security is near transparent for the normal use cases, which is why it's effective because people can't be bothered subverting it. Password managers, asymmetric (public/private key) encryption, in-memory credential caching agents, etc.
-
Bad security is inaccessible and inconvenient.
Or not really secure at all, such as using ROT13 for password concealment because the programmer can't figure out how to undo it. (Yeah, slight exaggeration. Not as much as I wish it was though.)
-
Banks have been doing security very poorly for a very long time, and this hasn't changed with internet banking.
My bank evolved from a merged bunch of credit unions, and as far as I can tell they're doing everything the right way. In particular, their Internet banking facility has been streets ahead of anything offered by the Big Four, literally for decades.
On the downside, they've recently started inviting us all to "experience new Internet Banking". I clicked on it once. It looks loathsomely mobile-oriented. So far I have managed to avoid actually using it, but I fear the spotty fondleslab-wielding twenty-somethings have finally managed to breach the outer shields; it will not be long before the competent, reliable, well-tested internet banking site with the mile-high top menus and the functional text density has gone the way of every other bloody thing that doesn't look like Dicksauce.
-
Tell that to my Google Authenticator.
That word in there that starts with G speaks against really being anywhere near "Secure", especially in a relatively broad sense of "Secure".
-
But it's a second authentication factor done correctly. Which is more than can be said for the examples you've given.
-
[emphasis mine]
These words... I don't think they mean what you think they mean. You even admitted it:
Granted you can't get rid of them in bankruptcy
From what I understand of your system, it's a zero-risk loan and the interest rate should therefore be the reserve bank's rate.
I don't know the ins and outs of student loans in the US, but I don't see how unsecured is a synonym for nondischargeable. One talks about collateral and the other talks about what happens in case of bankruptcy.
-
I mean, it's not strictly zero risk. You could e.g. get on a plane and leave the country.
EDIT: Damn, Hanzo'ed even though I got the notification before posting.
-
One talks about collateral and the other talks about what happens in case of bankruptcy.
I think in effect the student loan is ranked as being senior to other types of debt. I don't know though; never needed to take one out. That's mainly because I was one of the last people to get a large student grant in the UK — most of my peers didn't qualify — and I was a cheap model of student to run at that point as I didn't smoke and hardly ever drank.
-
I think in effect the student loan is ranked as being senior to other types of debt. I don't know though; never needed to take one out.
But that's still orthogonal to whether it's secured with some collateral or not.
-
-
But that's still orthogonal to whether it's secured with some collateral or not.
True. I don't think failing to pay a student loan causes your property to be seized. It's instead just some sort of impairment on the ex-student's income, and the structuring of the whole thing is complicated.
I think the system stinks.
-
Your wages and tax refund can be garnished, if you consider that seizure of property.
