Thursday 10 March 2016

NS&I security

I've just registered with the National Savings and Security web site. Their security is impressive.

It starts off with, you apply for registration. After a few days, you get your initial password through the post, on a tamper-evident seal.

I wrote that down, then got onto their web site. That asked me for my surname (easy) and my NS&I number. I had to refer to previous correspondence for that.

Meanwhile, there's a timer going, it will log me out after 5 minutes. But I can click to reset the timer. This will prevent a situation where someone walks away from the computer without logging out.

I gave the NS&I number, with the spaces as per the letter. It realised that it could ignore the spaces! That is, obviously, very easy to program, but I've been on so many web sites where the programmer thought this was my responsibility, and if I had extra spaces it was my problem.

Then is asked me for a password. 6-8 characters, at least one upper case, at least one lower case, at least one digit, at least one special character. It then wanted two phone numbers in case of need to contact me, and five security questions, of the "name of first pet" variety. I made up five random answers to these questions, so they can't be guessed by someone who knows me well.

Whenever I log on, it shows me a picture that I chose from ten, and a phrase that I gave it. So that when I log in to their site, I know it isn't a spoofed site.

My only criticism of this, was that when I tried to use a 9-character password, it wouldn't allow that. 8 is really short, why not allow people to use longer ones?

It looks to me as if they've really given considerable thought to their security. So I tested it using the Qualys SSL test.

It scored "C", which is pretty poor. For example, they're using weak 128 bit RC4 ciphers.

1 comment:

  1. A quick Google search reveals that people have been complaining about this for several years. At first I thought the 8 character password limit must be the result of legacy systems - 1970s mainframes running Cobol etc - but if they can store the 'security questions' in sizeable variables, why not the password?

    At the end of the day NS&I is a government entity and will not change its processes no matter how much the public complain. The only thing that would force it to gets its house in order would be a very public breach of its back-end database.