Rage against the machine
I believe that it was Tog
from who I learned the maxim of any security dolt being able to design
a security system that guarantees that all users will write down their
passwords. In fact, Bruce Schneier advocates that since users can no longer memorize passwords that are long enough to be strong, they should just write them down. And that's exactly what I do these days.
I wonder where the idea that passwords somehow rust comes from. Why not let users keep their damn passwords as long as they like? After all, my bank doesn't require that I change the PIN of my Interac card once a month, even though it is only four digits long. If the users didn't constantly have to change their passwords, their passwords could be much longer and thus impossible to crack with raw computing power, which I understand to be the whole point of forcing the users to change their password regularly.
Where this gets really ludicrous is when different services start demanding password changes at different times. If you use the same password for several services (one password for the nonimportant services, another one for the more important services, and separate individual passwords for the services where I could lose actual money) you have to remember to change it for all of them at the same time. And what do you know, different systems have different requirements for the password length and content.
It's a good thing that your web browser can remember the passwords for you if you ask it to. Let's hope that my computer or the browser will never crash or corrupt so badly so that it forgets this information, since there are services whose password I can no longer even remember, relying on the web browser to remember it for me instead. Or that I ever had to access those services on any other machine. Of course, the web browser has a nasty habit so that when it has downloaded the page only partially and you start typing in the password in the textbox, finishing the download makes the focus jump to another non-starred textbox, making your password visible to everyone who happens to be present behind you. And should you not notice this happening but try to go in anyways, the web browser will helpfully remember your password in the drop-down menu for the textbox that you accidentally wrote it in.
And what if your brain becomes overtaxed in all this and you just plain old forget your password? Well, of course the helpdesk will helpfully tell it for you when you call them, but first your identity must be verified with a question chosen from a set of almost idiotically easy questions such as "What is your pet's name", "What is your mother's birthday" or "What year did you start working for this company?" Gee gollybong, I sure hope that nobody could ever find out those things about me, and, like, impersonate me over the phone or something. It should go without saying that the helpdesk does not allow you to submit your own "security" question and its answer.
But if it's really gonna be that way, why do we have passwords in the first place? Couldn't the system simply ask the damn security question at login, since in the end, isn't the security question the only thing that the intruder needs to get right? Why bother having a sturdy steel door with the best available lock in it, if you then go build a back door that consists of not much more than mosquito mesh?
I wonder where the idea that passwords somehow rust comes from. Why not let users keep their damn passwords as long as they like? After all, my bank doesn't require that I change the PIN of my Interac card once a month, even though it is only four digits long. If the users didn't constantly have to change their passwords, their passwords could be much longer and thus impossible to crack with raw computing power, which I understand to be the whole point of forcing the users to change their password regularly.
Where this gets really ludicrous is when different services start demanding password changes at different times. If you use the same password for several services (one password for the nonimportant services, another one for the more important services, and separate individual passwords for the services where I could lose actual money) you have to remember to change it for all of them at the same time. And what do you know, different systems have different requirements for the password length and content.
It's a good thing that your web browser can remember the passwords for you if you ask it to. Let's hope that my computer or the browser will never crash or corrupt so badly so that it forgets this information, since there are services whose password I can no longer even remember, relying on the web browser to remember it for me instead. Or that I ever had to access those services on any other machine. Of course, the web browser has a nasty habit so that when it has downloaded the page only partially and you start typing in the password in the textbox, finishing the download makes the focus jump to another non-starred textbox, making your password visible to everyone who happens to be present behind you. And should you not notice this happening but try to go in anyways, the web browser will helpfully remember your password in the drop-down menu for the textbox that you accidentally wrote it in.
And what if your brain becomes overtaxed in all this and you just plain old forget your password? Well, of course the helpdesk will helpfully tell it for you when you call them, but first your identity must be verified with a question chosen from a set of almost idiotically easy questions such as "What is your pet's name", "What is your mother's birthday" or "What year did you start working for this company?" Gee gollybong, I sure hope that nobody could ever find out those things about me, and, like, impersonate me over the phone or something. It should go without saying that the helpdesk does not allow you to submit your own "security" question and its answer.
But if it's really gonna be that way, why do we have passwords in the first place? Couldn't the system simply ask the damn security question at login, since in the end, isn't the security question the only thing that the intruder needs to get right? Why bother having a sturdy steel door with the best available lock in it, if you then go build a back door that consists of not much more than mosquito mesh?
Comments