yosithezet

I really don't like websites that make me change passwords on a regular basis. It seems to me that it is my responsibility to change them when I determine it important to change rather than when they deem it important.

Today I logged into my Matmid account to find that I need to change the password again. Fine. But now they've made it more complex and less convenient for me. The password now needs to have two parts. The first part needs to be a combination of letters and numbers with at least two letters. The second part must be four numbers which you can also then use as your password for Matmid services by phone. I was quite happy with the two passwords being totally seperate. I was quite happy with my online passwords being a mixture of 8 letters and numbers of my own choosing. Why don't they, and all the other companies with online services, focus on great functionality instead of getting so worked up about how I choose my personal password?

mikebg

The worst part of this supposed improvement in security is that people will end up writing down their passwords because they can't keep track of so many constantly changing passwords. They will also think of patterns which they can easily remember (like an incrementing counter) which also defeats the purpose of the whole thing. The result of course is a downgrading of the security.

EL AL are not alone here. My bank does it as well, although I have never encountered it anywhere outside Israel.

LatusElAl

I find this password change thing to be one of the most annoying and problematic elements of Israeli websites. I holler at El Al for it every 3 months, when they make me change it.

You are correct that it is unique to Israel. That emanates from a Bank of Israel requirement of all Israeli banks and credit companies to force user passwords to change every 3 months. The flaw is, like mentioned above, that people will simply record their passwords in unsecured locations since they can't remember them anymore. Its really asinine.

ebzed

Off Topic, Sorry that's in hebrew...
זה מעצבן זה?
מעצבן שהדיילת באה ושואלת אותך עם תרצה עוף, פסטה או דג לארוחה
וכשאתה מבקש עוף היא אומרת שנגמר ואז אתה מבקש פסטה והיא אומרת שנגמר
זה מעצבן!

לכל צופי מועדון לילה

(Shortly in English, There is a late night show in israel, Where on one of
the parts they talk about annoying things name "This annoy you?"
So the hebrew text says:
"This Annoy you?" What really annoy is that the FA ask you what you want
for meal "Chicken, Pasta or Fish" and when you ask for Chicken she said
"Sorry, No more chicken" and then When you go for the Pasta there is no
Pasta as well! That's Annoying!
(From now i sit in 10C! let the other guy in the end be out of chicken or pasta!)


And i totally agree on the password thing!

ELAL

Looks like they want to boast that not only has their airline got the best security, but also their airline has

Thats why most times I log in I have to use the "forgot my password" option (I'm extremly glad my bank hasn't got this rule).

ebzed

Best Security?
If i would be a hacker, Knowing first 2 chars are letters, the 2 others are
letters or digits, and the last 4 ones are digits, I would say that a brute
force attack on the web site would make it much easier!

damaxer91

Its a royal pain! What I've been doing is keeping the same password and adding one number to the end....

mkilmo

Yes, I know it's annoying (really annoying, especially as on Linux+firefox the website for matmid still have some quirks).

But it's important. Seriously. You may ask yourselves, what the problem? what can happen (btw, a hacker which will try all combinations will just get locked out, because modern systems which identify excessive number of tries just lock the account)?

Well, your account may be hacked, a ticket award issued, and you will not know about it before checking your next statement in a few months. Yep, most people do not bother checking their account every second day (let's face reality here), and LY will have some liability to fix the problem (consider the bad PR they will suffer if someone used your points for a F flight to LA. and LY will refuse your request for getting the points back 'coz your password has been hacked).

And remember - this is not an airline, this is Israel!

mikebg

I realise that, and am as concerned as anyone else about computer security. However, forcing a password change every 3 months results in LESS secure systems, not more secure systems, for the reasons explained above.

yosithezet

I know exactly what can happen. However by making it too complex to choose a password the opposite is what happens in practice. As mentioned already, people need to eventually start to write down their passwords because this website requires this format and that one requires another format. I know more about Kerberos than how it is spelled and this is over the top.

ebzed

Knowing the site, On the web gui there is no locking or restrictions on the amount of times (max tried so far is 25)...
If someone will want hack the system it wont be probably thru the GUI...

Google/Microsoft/Visa and Many banks in the US failed on this,
Its all about the will and the "targil".

Dont forget that the database hold credit cards (for whoever put them on the site) and some other personal details - And there are the bored kids which
will do it just for fun and cause a chaos.

I started there...
Ebzed (a.k.a Mephistopheles (at the 90s...) 8-))

mkilmo

It was you!!!!!!!!!!!!!


Now seriously, we all know that when you have a complex password you write it down on a piece of paper, but then there is a paper trail (literally), as usually this piece of paper is in your office/home. So the only way for someone to actually see it is to come to your home/office.

I guess that your physical access control is slightly better then the open door methodology.

And please, let's not confuse the web (in)security with the fact that a good password is a good idea.