'Q. What was the name of your wife's first lover?'
As far as I'm concerned, I demonstrated who I was when I walked past the entrance CCTV and used my RFID pass to get in the building. Why I had to keep doing it in increasingly ludicrous ways throughout the day is beyond me.
As for the need to create a password that isn't the name of your kids or their birthdays or the word 'password', I do get it. But the current new wave of online harrassment to make you invent an utterly forgettable 'strong' password?
Froth is NOT good for fingerprint security
Oh come on - the biggest security threat to my online accounts isn't the risk of a mischievous Russian hacker spending a week trying to guess my 'strong' password but the depressing likelihood of a civil servant leaving my 'strong' password on a USB stick in the back of a taxi or a sacked call-centre underling in Bangalore selling my 'strong' password to the highest bidder.
Now the staff at many Costa Coffee outlets are having to struggle with stupid new fingerprint readers to access their cash tills. Costa customers, have you seen a barista manage to get one of those pieces of crap to recognise their fingerprint in fewer than half a dozen attempts?
At least it's secure, I suppose: no one can get the bloody cash till open, including the staff.
And how secure is it, really? Sure, the old movie cliché of hacking off someone's hand and using it to trigger fingerprint readers doesn't work any more because they now incorporate heat sensors or pulse detectors. But there are ways to cheat them, including an old favourite involving creating a fake fingertip from gelatin: if approached by the police, you can always eat the evidence.
'Balls, I brought the wrong eye'
Source: 20th Century Fox Home Entertainment"
No, this saturation of logins we're faced with today isn't really about our security at all. It's about employers bullying their staff into submission by forcing them 20 times a day to request permission to do their jobs. And it's about organisations using endless rounds of 'strong' password reminders as a smokescreen to hide the fact that their own protection of customer records can be snapped like a twig by the dimmest disgruntled outsourced employee.
Security my arse. Read my finger. ®
Alistair Dabbs is a freelance technology tart, juggling IT journalism, editorial training and digital publishing. He loves all the big companies he has worked for and only tries to sound cross about their mania for multiple logins for the purposes of this column. Mind you, one has just introduced the need for a new login just to use the telephone.
COMMENTS
Pot... meet Kettle
Seriously Reg, how you can have the gall to publish an article criticising anyone else's login/password failings, is beyond me. Especially when your own website has about eleventy-billion completely pointless separate subdomains, all requiring individual logins –and there are Alzheimer's inflicted goldfish with better recall than your login cookie's "remember me.." option.
Title says it all.
[Had to login for about the fourth time today, to post this]
Re: In fact it is not
Okay, so how do they enter their strong password made up of numbers and letters and a limit set of non-alphanumeric characters in a field with masked input without typos?
Re: In fact it is not
"The point, for those thickos who've missed it (which is all of you so far!), is not that I don't know how to type accurately without being able to see what I'm doing -- I'm a sysadmin, of course I can do that. Users mostly can't."
And there's the elitism that our industry is famous for: IT pros are perfect; users are useless. Well, Aaron, fuck you. You're wrong, and you probably know it.
Show me a study. Show me numbers that prove sysadmins are better typists than average users, and I still won't believe you.
I deal with "users" on a daily basis, and the ones I know are better at typing than I am, and I'd have no problem with Correct Horse Battery Staple.
Re: If that's so, then why
So we reach the crux of it, which is that you just don't like anything that refers to XKCD and your'e so determined to hate everything related to Randall Munroe's "opus" that you reject, out of hand, eminently sensible and workable solutions to the whole password problem with the same elitist bullshitting attitude you always seem to have on these forums.
Now here's the affix: I don't work in anything directly related to IT these days. I got out of it, in part, because of people like you throwing your not inconsiderable weight around every chance you got, insulting everyone who wasn't uyou as "luser" waste of space morons who obviously have to be nannied through everything - even when it wasn't true. In fact especially when it wasn't true. You are an arrogant little blowhard who has a little bit of power over his domain (oh ho ho) and refuses to accept that maybe, just maybe you might be wrong sometimes.
What's the biggest single security hole passwords have these days? People writing them down. Why do they write them down? Because they can't remember them. What do we want people to do with their passwords? Remember them and not write them down. On that score alone the regular language phrase is superior to the cryptic nonsense string of characters. People are able to remember phrases because they are semantic. They contain meaning, and meaning is the glue that makes memory stick.
And in terms of entropy it's a winner again. An 8 character password is easier to brute-force than a 32 character one no matter what characters it's made up from. There is no difference between the strings abababab and nGl04$sh when you are brute-forcing and if you have access to hash tables there's no amount of security that can keep you out over even a short period.
So it comes back to blocking that one major hole: the user. Your solution ensures that there will always be a human-readable copy of some large portion of your userbase's passwords available on handy little pieces of paper. The regular language solution provides a way to close that hole.
So as far as I can tell the only reason you have for rejecting it is that you didn't come up with the idea and Monroe did. Which says plenty about you and little about the idea itself.
