My email to US Bank support…
(I really did send this via their “contact us link” on the US Bank page)
To whom it may concern—
I appreciate you concern for account security, but I would like to point out two flaws in your current system:
1) You do not allow numbers or punctuation in my password. This inherently limits the strength of the passwords you allow
2) Your system of supplemental questions is problematic as I am normally asked the same question 2-4 times before the next question shows up. This means that a person who has managed to guess one of my quesions has a greater chance of being able to use it. I am sure you are using a proper random number, but the problem is that when you are picking between a small number you are performing a (rand() mod n) operation (where n is the number of questions). This means that you are much more likely to see runs in the numbers, even though the sequence itself is random. Therefor what you really want to do is ensure that you randomly pick between the questions that were not asked the LAST time. IE if B was the question asked, then you should randomly pick between A, C, and D.
As read this back to myself two thoughts come to mind:
- They are going to read it and scream “nerd!”
- I seem to have become the kind of person who writes highly techincal and detailed letters to people who are probably powerless to do anything
Next thing you know I will be writing kurmudgeonly letters to the editor about the state of youth culture…
