Good banks will shut down your accounts after a half dozen or so attempts to unsuccessfully log in. So it doesn't matter if the computer can guess your password in 3 days. It only has six attempts before it gets locked out.
MAC addresses are usually mutable. While such provides an additional secret that need not be remembered, it has the significant disadvantage of traveling over the network unencrypted (so if one knows that such is being used as the secret, the secret can be more easily discovered).
Other system information is available for similar purposes and is not passed over the network unencrypted. Of course, if the device has persistent storage and the ability to run third-party software, then more complex mechanisms could be used.
Unfortunately, a resourceful scammer could register a domain like mybank.cn or mybamk.com, which on casual inspection might be confused with mybank.com.
One of the problems with password complexity is that different sites have different restrictions on length, allowed characters, and required characters. One site that I use requires at least one number (among other restrictions), reducing the ease of using a pass phrase (making the xkcd comic very apropos).
I also worry about phone phishing. On occasion, my credit card has been compromised through no fault of my own. The first thing that happens is that my credit card company calls me to determine whether some charges are legitimate. The call comes from an 800 number not listed on my card, and if I don't answer, leave a message with that unknown 800 number. Then, they try to identify me by having me answer questions from my credit history, like "Did you ever live on Mickey Mouse Lane? What address?", as if I can remember the house number from 20 years ago.
I always call them back via the number printed on the card, and they never understand why I'm concerned about calling random 800 numbers and entering my card number into a machine.
Binding you secure operations to your computer ( registering and validation of the Mac address of your computers network card ) could be an added security for carrying out secure transactions.
My broadband service provider does not allow me to use its broad band service from any other PC or Laptop. I can only use it from the computer whose Mac address has been registered with him.
This is sometimes inflexible but always secure.
Excellent article Sylvie, which has encouraged some great suggestions above. For those using the Firefox browser, I can highly recommend the free add-on Noscript (noscript.net), which blocks scripts from running without your permission as well as greatly improving browsing security by blocking cross-site scripting, etc.
For those that have Linkedin accounts (particularly if you have included a CV), if you haven't already changed your password, do so NOW and do it regularly until you hear from Linkedin that they have closed this vulnerability. The password hashes stolen from Linkedin did not use a salt in their generation, making them relatively easy to break.
Regarding keep your (ever increasing list of) passwords secure, the universal password services are indeed excellent (well until the first service is cracked and those responsible have access to ALL your accounts). There is also nothing wrong with keeping your passwords written down provided they are kept in a secure location. (Remember, if they are stored on any network connected computer, attempts can be made to gain access them from anywhere in the world.) Remember, Moore's law means passwords get easier to crack as CPUs and graphics cards get more powerful, so keep your passwords hard to guess and change at least the important ones regularly.
Ok this crap cost our economy billions of dollars in lost productivity cleaning up the messes made.
Here is how to fix it...
A pop up click blocker or embeded link blocker.
Even if it just adds one more are you sure box that you must click twice on it will save the 90% that OCD'd clicked without thinking.
Better...The embedded link blocker reads the intended site name verifies or flags the hidden link as being differnt than the one shown onthe screen. And if cross-site scripting is employed then it closes link before loading.
reports cross-site scripting phishing attempts to a central security conglomerator and reporting system.
Why, yes, thank you, Frank. i promise to transfer you the 1 billion dollars we discussed soon.... but first, and I know this is trivial, considering all the money I'll soon be sending you, but could you forward me another $2000 in stamp duty? Thanks mate! ;)
A Book For All Reasons Bernard Cole1 Comment Robert Oshana's recent book "Software Engineering for Embedded Systems (Newnes/Elsevier)," written and edited with Mark Kraeling, is a 'book for all reasons.' At almost 1,200 pages, it ...