Hacker News new | past | comments | ask | show | jobs | submit login

> don't even let you type your password in. Instead you have to use their janky on-screen keyboard to fumble your way through login.

Wow that's just insane. I'm glad I haven't run across any services like that. I'm not sure what their line of thought it; it only inconveniences normal users. A person attempting to try multiple passwords can likely figure out how to get around that restriction without issue.




> I'm not sure what their line of thought it;

It's theoretically a defense against key loggers. Of course, if someone has compromised your machine to the point where they're tracking key strokes there's no reason to assume they can't also grab your mouse presses and websites.

This isn't even their worst security practice. What truly got me to leave was their security questions: they're presented as multiple choices. My randomly generated string stands out rather obviously next to the "typical" choices.


Yeah it's stairs and ladders. One I saw also randomized the position of numbers on the keypad, so you need now also to track that.

Which is pointless anyway because at the point you access the keyboard buffer you can as well install a certificate and get a proxy going


This is where convenience trumps security. Virgin Money used to require you to enter your password using an on-screen keyboard, except they REARRANGED THE LAYOUT EVERYTIME YOU USED IT. Thank fuck they eventually got rid of it, but it was such an abject pain in the ass, I cringed everytime I needed to log in to view my details.


I wouldn't even call it a trade-off between convenience and security, because there is no security gained. This is a trade-off between convenience and stupidity. If someone suspects that a keylogger is there, the entire computer should be assumed to be compromised. Trying to guess the capabilities of the keylogger and working around them is ludicrous.


It's a valid defense against hardware keyloggers, ignoring that you're way more likely to encounter a software keylogger.

If your account is interesting enough for criminals to break into your computer room and attach dongles to your PC (I'm imagining a Mission: Impossible style break here), congratulations: you've clearly made some good financial decisions in life :-)


Not unrealistic to assume a scenario where a disgruntled IT technician installs countless hardware key loggers throughout an open plan office. Could be easier and less noticeable than trying to circumvent the business-grade antivirus.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: