On Mon, 2024-07-15 at 11:08 +0100, Patrick O'Callaghan wrote: > Ironically, the most hidebound sites tend to be banks, which in my > experience don't even let you use a password manager (other than in > copy-paste mode), which is by far the best way for the average user to > get good non-repeating passwords. My banking passwords are only stored in my head, so any technical security flaws are down to them, but they have the dumbest ideas about passwords (and customer relations). One recently messed up my logon as part of their new security changes (which they didn't tell us about). While getting it fixed over two phone calls, they wanted to set up SMS TFA, and I had a go at them over how stupid that was (*), and how stupid their password construction rules were. During the call they told me there's another security change coming soon, while I was telling them that they need to change their slack security procedures immediately, where they'll allow us to have longer passwords, and I told them they should let us know about these things in advance. I don't like wasting half an hour of my time, or more, when I want to access my money. * A common story in the news is someone will wake up and find that their phone isn't working, which they just put down to one of the many technical faults they have. What's happened was someone with some of their personal data has ported their phone number over to a new device, done a password reset on their bank, used the fraudulent phone to confirm the password reset, and then emptied their bank account. The phone companies have very crap security at preventing that (number transferring), and the banks are poor security at user identification confirmation (some are easily satisfied with being told just your name and birthdate over the phone). Many years ago I set up a bank account with virtually no checks on my identity - I don't have a drivers license, I didn't have any utility bills in my name as it wasn't my property, all I had was another bank account set up when I was a baby, a birth certificate, and a medicare card (which doesn't verify your identity in the first place). The things they accepted were the kinds of things any thief could have grabbed during a burglary. -- uname -rsvp Linux 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024 x86_64 Boilerplate: All unexpected mail to my mailbox is automatically deleted. I will only get to see the messages that are posted to the mailing list. -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
