The other day I went to 1stBank without my account number. They asked for my verbal password. Funny, I never set such a thing. They assured me I did and wrote it down on a slip of paper. It was my login password! They tried to convince me I had set it once and forgotten it, and that all their customers do. The problem is, it is not a word at all but a string of characters that is awkward to say. I would never say it out loud in front of other customers as it could allow anyone to use my online account to transfer funds. In fact the teller could just do that anonymously from the comfort of his home, if he realized what it was. He could do that for any number of accounts.
The other scary part of this is, online passwords are supposed to be encrypted using a one-way hash. If you forget a password, they are supposed to reset it to a random string, then you have to change it when you next log in. They are not supposed to have any way to recover a password. That way, disgruntled system administrators cannot get them. The fact that they created verbal passwords from their online passwords means they are not securing the online passwords. This is much worse than keeping credit card numbers in their database. 1stBank has $8 billion in deposits!
Thread locking in SQL Server
-
I just discovered a cool system stored procedure in SQL Server.
sp_getapplock allows you to do thread locking in T-SQL without creating
surrogate DB object...
11 years ago
No comments:
Post a Comment