September 30, 2007

my rant on passwords

To illustrate the problems with authorization, we shall take the example of the Indiana Jones and the Raiders of the Lost Ark. To access the Ark of the Covenant, Indy has to fly to Nepal, engage in a gunfight, escape a burning tavern, retrieve the headpiece for the Staff of Ra, fly to Cairo, use the Staff of Ra to figure out the correct location, survive deadly snakes (he hates snakes) before even finding the Ark.

The subsequent part of the movie where the Ark is hijacked by Nazis will be covered in a later post entitled "Password Retrieval" ;)

As this example illustrates, such a complicated system still fails to protect the Ark from falling into the wrong hands (first the Nazis, later the U.S. government). While I feel that a snake pit would be quite effective in ensuring proper access to systems like email, the cost of snakes/snake feed, as well as replacing poisoned upper management would be too high.

For web applications, the widely accepted practice is for users to select their own "password", a sequence of alphabets, numbers and/or punctionation, in the hopes that the password is :

a) Unknown to anyone else
b) Not easily guessed
c) Remembered by the original user

Having had to reset countless passwords over the years, I know for a fact that this doesn't work because :

a) Sometimes you have to share passwords with other people
b) Complex passwords take too long to type
c) Good passwords are difficult to remember (i.e. "BCD31BD788A" instead of "apple")
d) Corporate policies which force users to select a new password every month
e) Users feel no shame in requesting multiple password resets

Being old and lazy myself, this is the current way I deal with having to remember passwords :

a) Pick a word via word association to use. For example, email would be "spam", the online banking page would be "debt" and my blog password would be "boring".

b) Covert the word using a cryptographic hash function into a string. Here I am using MD5 to convert the words into gobbledygook suitable for use as passwords :

"spam" becomes "e09f6a7593f8ae3994ea57e1117f67ec"
"debt" becomes "762f8817ab6af0971fe330dbf46a359a"
"boring" becomes "8c32b1f76c746d784f0c1fd005e2a220"

c) Profit!!!

I've whipped up a simple PHP page to do that here (it only returns 12 characters instead of the 32 characters of MD5, since I doubt most places would support a 32 character password) :

http://twofishy.net/hash/

Enjoy.

September 30, 2007 01:58 PM
Comments

good one...

Posted by: johnybravo at October 5, 2007 05:07 PM
Post a comment









Remember personal info?






 
the mundane adventures of joon

quick links.




mini-reviews.

war of the worlds
Strangely, the computer generated aliens in this movie felt more believable than both Tom Cruise and Dakota Fanning, who spend most of the time looking shell shocked or screaming hysterically. The overall effect is a cold, clinical exercise in extermination, ending as suddenly as it began.

hitchhiker's guide to the galaxy
This movie reminds us that instead of using special effects to blow stuff up, we could use it to bring to life one of the wackiest sci-fi rides of all time. Brilliant use of Flash animation (for the guide itself) and Marvin is just...too cute to take seriously. Remember now, always carry a towel and whatever happens, don't panic.

So long Douglas, and thanks for all the fish.

batman begins
I guess you can say this is movie truly captures the spirit of Batman's beginnings, because it is as weak as Bruce Wayne was before his transformation into the world's greatest detective. In the end Christian Bale and his sidekicks Morgan Freeman and Michael Caine were just undone by Liam Neeson, Katie Holmes and the rest of the cast. Perhaps next time...

sarpinos
Didn't know anyone else delivered pizza, other than Pizza Hut and Dominos. Generous amount of toppings and cheese make it hard to pick up the phone and go back to dialing 1-300-PIZZA

just thai
Looks like just another Thai restaurant on the outside, but once you sit down, you'll notice that everything is done 'just right'. Wait staff were attentive and seemed genuinely happy to be there, and the food took 5 minutes to arrive (!). They didn't have any pandan chicken, so we settled for beef noodles (which tasted like real beef) and pineapple fried rice (flawless). Can't wait to go back and the other stuff.

anjappar
Never heard of Chettinad cooking, but RM15 for a set meal of rasam, lime juice, briyani, rice, fried chicken, two curries, yogurt, papadam and chapati is an incredible deal.

kopi time cafe
new take on the old-style kopi tiam, complete with modern pricings. porridge for seven bucks is pricey, but the curry noodles are okay. What exactly is a coffee cow?