Pavlos (pavlos) wrote,

A special innovation for your insecurity

Computer security used to be a serious matter. The makers of remotely accessed computers, until the 90's or so, made their equipment so that it could be protected by strong passwords, and educated their users to use strong passwords. Only the right passwords, or unforeseen technical vulnerabilities, would unlock the equipment.

In recent years, however, we have a special anti-security innovation: Web sites allow you to set a password, but also require that you supply a further secret, which can be used to unlock your password! The unlocking secret is almost never optional, and the instructions generally ask you to choose something very insecure, such as a pet name. Sometimes you can enter a strong secret (by acting against the design of the system) and sometimes there are hard limits preventing you from choosing anything secure. For example there may be a requirement to choose a 4-digit number.

Security experts may be able to point out something I'm missing, but is that not the most air-headed innovation in the history of computer security? As far as I can see it's like buying a lock with the special non-optional feature to have a spare key hidden in a compartment somewhere on the outside of the door. Sometimes you can remove the spare key, sometimes it's fixed there for your convenience with a chain.

Apparently sane web sites, such as the ACM, use this inane feature. In that particular case you are allowed to enter a strong secret. But what is the point? You're either going to remember your password, or you'll store it in a digital keyring, or don't bother. Re-register, or use your credit card information to erase and reset a paid account.

  • On Myth

    Hey! I'm mostly living in my shell these days, but here's a long-overdue essay from my other blog. Paul and Alison in particular have been formative…

  • Chomsky on Gaza 2009

    Everyone should read Chomsky's excellent article on Gaza 2009. Usually, Chomsky on the…

  • New blog

    Hi! This is just to let you know that I exist, although I don't really feel that blogging about my life is very interesting any more. I still live…

  • Post a new comment


    default userpic

    Your reply will be screened

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 1 comment