IRD online services registration

I recently signed up with IRD’s (New Zealand’s Tax Department) online Kiwisaver service, so I could view the status of my payments and balance of New Zealand’s voluntary superannuation scheme.

The user sign up form is pretty depressing (and no, not just because it’s about signing up to tax rather than cool stuff):

The 70s called, they want your security consultants back.

My first concern is passwords being limited to a maximum of 10 characters, it’s way too short for many good passwords (or even better, passphrases), any system should take at least 255 chars without complain.

Secondly, the “forgotten password phrase” is the most stupid thing I’ve ever seen, it’s basically a second password field – if you forget your password, you can contact them and give them this second password…. except that if you’re stupid enough to forget the first password, how the hell are you going to remember a secondary normally never-used password?

I’d also love to know how secure the secondary password phrase requirements are, because since it gives you access into the account, the security is no stronger than whatever you put in here – and how likely are users to choose something good and secure as their “backup phrase”?

This is some pretty simple security concepts and I’m a bit dismayed that IRD managed to get these so wrong – at least it shouldn’t be hard to correct….

This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

3 Responses to IRD online services registration

  1. TrojanCentaur says:

    What to you mean, easy to fix? You’re forgetting *culture*, Jethro. Especially in a government department, even more so a heavily bureaucratic one like the IRD, culture in an organization can turn simple fixes into months and months of pointless meetings, spec sheets, comittees, external auditing, cultural resistance, budgets, project management and if you’re particularly unlucky, being pushed further and further back by seemingly more important issues until it’s dissolved into oblivion.

    I assure you, this will NEVER be fixed. Not unless a significant security breach, total system overhaul or the death of the internet itself comes about.


    • Jethro Carr says:

      haha, well I was writing from a technical POV…. culture is a whole another issue entirely. :-)

      • TrojanCentaur says:

        If only the IT industry could *only* be affected by technical points of view! So many great ideas shelved and bad ideas developed based on political, financial, cultural, even legal matters. Even general laziness seems to be a factor: the number of times I’ve spotted security problems with software packages only to be condescendingly dismissed as ‘whining’…


Leave a Reply