The three online banking facilities I have access to (one UK, two Irish which is another post in itself…) all require me to have a passcode of variable length which they use as a form of wish-it-was-two-factor authentication. They each have a different approach to how to enter it: one asks me to select three numbers at random from drop down boxes with the other numbers represented by ‘*’, whilst the other two just ask me to enter three of the numbers by keyboard into three provided entry fields. Obviously the numbers requested differ on each login attempt.
What they are trying to guard against is the ability for key loggers or other such malicious software being able to read the numbers entered. Hence the drop down box approach to encourage use of the mouse rather than keyboard, the mouse being harder to track.
The subject of this post leads to an interesting technique used by the UK bank. Instead of asking for numbers 1, 3 and 6; or 2, 4, and 5 it asks for first, third and last; or second, fourth and next to last. The help for said bank actually states that “next to last” is an attempt to help mask the length of the passcode. The thing is ever since they introduced this it has been very noticeable that “next to last” seems to get asked for a lot. The question though: is this because it is actually being asked for more than the other numbers because the code behind the site knows that this is a special case number and that influences the “randomness” or is it simply because it stands out more and I just think it pops up more often?