Original URL: http://www.theregister.co.uk/2012/05/25/something_for_the_weekend_passwords_are_a_waste_of_time/

Passwords are for AES-holes

Security is an illusion

By Alistair Dabbs

Posted in Hardware, 25th May 2012 12:39 GMT

Something for the Weekend, Sir? When did you reach burnout? For me, it was spring 2009. Looking back, I did well to last as long as I did but the constant pressure of coming up with something new, again and again, became too much.

I'm not confessing to an emotional crisis, by the way. I'm talking about my ability to create new system logins that I can remember for longer than an afternoon. Today, about a third of my incoming emails have 'password reset' in the subject line.

Reginald Perrin. Source: BBC/2 Entertain

'Oh god, not another bloody password to remember. One more and I'll fake my own death just to avoid the buggers'
Source: BBC/2 Entertain

My password fatigue came to a crunch while I was freelancing at a company that bullied its users into entering a unique login every time you wanted to do anything whatsoever on one of their computers. First up was a straightforward Active Directory login, which is fair enough, but this barely carried you beyond the company's intranet page.

Want to visit an external website? Another login. Check email? Another login - yes, even with AD. Run the core apps? Another login. Open the image library? Another login. Access the database? Another login. Browse the archive? Another login. Launch the production tool? By now, you know the answer.

If I was working remotely, I had to use yet another login to seek permission to enter any of the above logins, and it was particularly irritating because it insisted on asking me to enter this one twice. Those of you who know me: it's not the company you think it is, so keep guessing.

Reginald Perrin. Source: BBC/2 Entertain

'I didn't get where I am today by not forcing my staff to log in 13 times to to start work'
Source: BBC/2 Entertain

Most of the company employees got around the problem by creating identical ID names and passwords for everything. The IT department responded to this challenge by forcing users to change their passwords every month. The ever-resourceful users quickly discovered that the automatic prompt was fixed to a 12-month cycle, so all they had to do when prompted to change their passwords was to spend a minute changing it 12 times and then choose their original password again.

Now I understand why computer security is important. I also understand why I should not use the same ID and password for all my bank accounts and credit cards. What I don't understand is why I would need 13 different logins at the same company simply to identify who I am.

'Q. What was the name of your wife's first lover?'

As far as I'm concerned, I demonstrated who I was when I walked past the entrance CCTV and used my RFID pass to get in the building. Why I had to keep doing it in increasingly ludicrous ways throughout the day is beyond me.

As for the need to create a password that isn't the name of your kids or their birthdays or the word 'password', I do get it. But the current new wave of online harrassment to make you invent an utterly forgettable 'strong' password?

Costa coffee

Froth is NOT good for fingerprint security

Oh come on - the biggest security threat to my online accounts isn't the risk of a mischievous Russian hacker spending a week trying to guess my 'strong' password but the depressing likelihood of a civil servant leaving my 'strong' password on a USB stick in the back of a taxi or a sacked call-centre underling in Bangalore selling my 'strong' password to the highest bidder.

Now the staff at many Costa Coffee outlets are having to struggle with stupid new fingerprint readers to access their cash tills. Costa customers, have you seen a barista manage to get one of those pieces of crap to recognise their fingerprint in fewer than half a dozen attempts?

At least it's secure, I suppose: no one can get the bloody cash till open, including the staff.

And how secure is it, really? Sure, the old movie cliché of hacking off someone's hand and using it to trigger fingerprint readers doesn't work any more because they now incorporate heat sensors or pulse detectors. But there are ways to cheat them, including an old favourite involving creating a fake fingertip from gelatin: if approached by the police, you can always eat the evidence.

Minority Report. Source: Twentieth Century Fox Home Entertainment

'Balls, I brought the wrong eye'
Source: 20th Century Fox Home Entertainment"

No, this saturation of logins we're faced with today isn't really about our security at all. It's about employers bullying their staff into submission by forcing them 20 times a day to request permission to do their jobs. And it's about organisations using endless rounds of 'strong' password reminders as a smokescreen to hide the fact that their own protection of customer records can be snapped like a twig by the dimmest disgruntled outsourced employee.

Security my arse. Read my finger. ®

Alistair DabbsAlistair Dabbs is a freelance technology tart, juggling IT journalism, editorial training and digital publishing. He loves all the big companies he has worked for and only tries to sound cross about their mania for multiple logins for the purposes of this column. Mind you, one has just introduced the need for a new login just to use the telephone.