September 30, 2007
my rant on passwords
To illustrate the problems with authorization, we shall take the example of the Indiana Jones and the Raiders of the Lost Ark. To access the Ark of the Covenant, Indy has to fly to Nepal, engage in a gunfight, escape a burning tavern, retrieve the headpiece for the Staff of Ra, fly to Cairo, use the Staff of Ra to figure out the correct location, survive deadly snakes (he hates snakes) before even finding the Ark.
The subsequent part of the movie where the Ark is hijacked by Nazis will be covered in a later post entitled "Password Retrieval" ;)
As this example illustrates, such a complicated system still fails to protect the Ark from falling into the wrong hands (first the Nazis, later the U.S. government). While I feel that a snake pit would be quite effective in ensuring proper access to systems like email, the cost of snakes/snake feed, as well as replacing poisoned upper management would be too high.
For web applications, the widely accepted practice is for users to select their own "password", a sequence of alphabets, numbers and/or punctionation, in the hopes that the password is :
a) Unknown to anyone else
Having had to reset countless passwords over the years, I know for a fact that this doesn't work because :
a) Sometimes you have to share passwords with other people
Being old and lazy myself, this is the current way I deal with having to remember passwords :
a) Pick a word via word association to use. For example, email would be "spam", the online banking page would be "debt" and my blog password would be "boring".
"spam" becomes "e09f6a7593f8ae3994ea57e1117f67ec"
I've whipped up a simple PHP page to do that here (it only returns 12 characters instead of the 32 characters of MD5, since I doubt most places would support a 32 character password) :
Enjoy.September 30, 2007 01:58 PM