Too effective security
2004-04-04 13:00:07 GMT/BST
I've just had a very frustrating experience with Barclays internet banking. The authentication procedure requires: Your surname, a 12-digit membership number, a 5-digit passcode and a "memorable word". To get in you have to enter your surname and membership number in one form, followed by your passcode and two letters from your "memorable word" on a second form.
Guess who's "memorable word" wasn't memorable enough... End result: I had to have my passcode and memorable word reset. I'll have to wait a few days while they send me a new passcode by post.
Usernames and passwords I can cope with. I have about 50 of them in a file called passwords.xml in an encrypted filesystem. I can also cope with the 4-digit pin code for my Barclays connect card. I can hold that in my head. But two items of identification and two of authentication (with one of each being a random string of numbers) is too much for me. It's too complex to memorise, and I suspect that the fact that it didn't obviously fit into passwords.xml was one of the reasons I failed to record it there.
But, without doubt, it's something that needs to be recorded. It's far beyond the limits of what's memorisable. Fortunately I'm a techie who keeps an encrypted filesystem for these sorts of things. If I weren't I'd have undoubtedly written all my details down on a piece of paper in my wallet, or even on a post-it note stuck to my monitor.
Jakob Nielsen has said it all before.