???
NR ask for 2 characters of a (long) alpha numeric password, the characters requested are only rotated on a successful logon. This is the system I believe BOI are now using, except using a 6 digit PIN. But up to now BOI asked for 3 numbers of the 6 digit PIN, if you did not know any of the numbers being prompted for, you just refreshed the screen and it would prompt for another random 3!!
The NR password is 9 characters long, which isn't very long (although it is longer than that of some online banks). Asking for 3 out of 6 certainly is worse though.
The issue that I have with NR's system is that it asks you for the same characters every time until you have successfully logged in. If you enter the wrong ones 3 times in a row then you are locked out, which is a good thing, but when their system was virtually unusable recently you could enter the correct details and still not login successfully. Next time you tried you were prompted for the same characters again, but you were unlikely to login successfully then either. And so on. Basically, for as long as the system was unable to successfully log you in, your account was protected by the same 2-character password (which somone could potentially record during any of your failed login attempts), which is not good.
Changing the combination of characters that you are prompted for each and every time is better, whether you successfully login or not, as long as the possibility of the same combination arising more than once in a "short" space of time is small. Basically, if someone has 2 characters of your password, and they sit their refreshing the login page and getting a different combination of characters prompted for every time, then if the number of possible combinations is small (e.g. a combination of 3 characters from a 6 character long password) you are correct to be concerned as they won't have to wait long to be prompted for the specific two characters that they know. One way to significantly reduce the risk is to reduce the probability of any one combination cropping up (which reduces the possibility of them being prompted for the characters they know), and this can be done by using longer passwords, using passwords with a wider variety of characters in them (e.g. characters that contains punctuation characters as well as letters and digits), etc. This would require more effort, and perhaps more expense, on the part of the provider of the service so such commitment tends to be rare.
Of course, another approach is to require you to change your password every now and again. This tends to be the approach taken in office environments for passwords used to access local network services. Again though, most service providers don't implement that because of the hassle and the expense (most of the expense is in providing some kind of support service for customers who are confused by the need to change their password, can't remember their new password, etc.).
Another approach which addresses most of the above concerns is to use the kind of authentication that Rabodirect uses, where your password is determined by the numbers output by your Rabodirect token/fob. It is based on the same basic theory that your password is a selection of random digits from a finite number of possibilities, but basically with this system your password actually changes every time you login so it increases the number of possible passwords by a huge amount therefore making it extremely unlikely that someone can either guess your password or re-use one that you have already used. Of course, this system isn't perfect either as its additional complexity requires more complex software to implement it and the more software you have the greater the risk of there being bugs/errors/holes in it which might be exploited, but it still remains better than most of the other alternatives out there.
Towger said:
Google will find you many products capable of recording a PC screen.
I wonder how capable such products are. They would need to record your screen contents (presumably from the machines memory) at the right time in order to capture your password. And considering your screen content is changing constantly, that would be far from easy.