Online Banking Security

I wasn't refering to your SecureID token (I co-manage ours at work so I know what they are) but only to the key sizes / ciphers you mentionned were used for the connection...

If your browser showed 128bit encryption being used (padlock icon mousover), it was most likely an RC4 cipher or AES-128. But that's only for the data exchange phase which implies a symetric cipher. It doesn't tell you what key exchange asymetric cipher/length was used; for that you have to check the certificate's key. Most of the time, a 1024bit RSA key is used (with SHA-1 for signing).


Ammo

I'm a big fan of online banking myself. I do everything online nowadays -- banking, credit card, cell phone account management -- I feel more secure because it allows me to keep a constant vigil on exactly what's going on. Nothing can happen on my account without me seeing it. And I advise that if you do do it online, do it at least daily so that you'll catch any possible discrepancy that can occur. You better watch it like a hawk.

However, I only check my accounts from one of two places -- My main home computer or my office computer, both of which I keep locked up tight and secure (though I haven't thought about keeping an eye on the hosts file -- thanks TigerShark). I also make sure I use complex passwords.

However, I have to air one complaint: Most websites don't allow for complicated enough passwords yet. You have the "please keep it within 6-8 characters" rule, which is bad news in my eyes. What does that mean? No passphrases. We'd be much better off with nice, long passphrases, especially since most password crackers can handle anything under 10 characters nowadays. When's the rest of the world gonna catch up?

AngelicKnight....

Government regulations on password length are a bit behind and spending a shirt load of money to modify existing systems to support 15 characters may take a while. Not to mention increasing comlexity increases calls to telephone centers with pissed off customers who cannot access their accounts so you run the risk of mis-identifying someone in the essence of time to restore versus complex verfication that may take an hour or two to verify. ;)