Saturday Sep 04, 2010

Password Madness

I recently had to change my password for a single signon service I use. I opted to include a "?" in my new password. Over the next couple of days I discovered that I could only enter my password on some of the sites I needed to use. On others it was consistently rejected. Luckily because it was single signon I could sign on to one site and then navigate to the another that wouldn't allow me to enter my password.

After a few days I figured out that some sites just didn't like my password. I decided to change my password to something that didn't include "?". Lo and behold, I could now log in using any of the sites which used the single signon service. Sigh.

It bothers me that standards for passwords are still so inconsistent. Case sensitive, case insenstive, spaces allowed, no spaces allowed, numbers allowed, numbers not allowed, random allowability of symbols. Usually the reasons for the restrictions are bizarre and arbitrary (what to do with computers isn't?). It's very frustrating for users to work with these varying restrictions imposed by multiple sites. It would certainly make things easier if more effort was spent to allow users the maximum flexibility in their password choice and probably more importantly that the behaviour was more consistent among sites. Perhaps industry specific standards or best practices could reduce the frustration around password policies. It's worth a try.

Monday Feb 02, 2009

No password

I have been doing a lot of work using virtual machines (the simulates-a-computer kind not the Java kind). Since all of the virtual systems are NATed or have no networking and because I'm mostly doing driver development I am generally logged in as root and not using a password. Obviously, this has usage and security implications. For one thing, I can't assume that there is any kind of safety protection. If I screw up then the machine is screwed up. This applies to the security as well. If I do something stupid like download random software or go to arbitrary web sites then I could easily screw up the virtual machine.

So far I haven't managed to corrupt, infect or otherwise damage any of my virtual machines. I've found it kind of interesting how the direct knowledge that I have no "safety net" when operating these machines has impacted my thinking and choices. I've found I am a lot more thoughtful and cautious about the actions I take. I spend more time considering implications before hitting return. I'm coming to think that perhaps working in this way is possibly a good thing. Having to be certain before committing to actions has actually saved me time. I've made fewer repairable mistakes and frequently changed my mind as to how to correctly proceed rather than just barging ahead.

The moral of the story is (as usual) make good backups, play safe and be brave.

Thursday Jan 10, 2008

Wi-Fi Wide Open

I really enjoyed Bruce Schneier's most recent Wired Security Matters column, "Steal This Wi-Fi". I've always run my wi-fi completely open and unencrypted. I like running it that way though I've been repeatedly warned by nearly everyone I mention it to that an open network will {cause my computers to be hacked | help the terrorists | promote child pornography | make the RIAA sue me | hasten the end-times }. The ISPs and certain vendors of horribly insecure operating systems have done a great job of instilling a paranoid mindset regarding Wi-Fi in most people's minds. The question I've always asked people is "Why is it important to different security policy for your wired and wireless networks?" Unfortunately this isn't generally a question people have thought a lot about. For what ever reasons they have decided that their wireless networks should be securely locked down and I've never heard any great insights as to why.

From now on I'm just going to point people at Bruce's article. I'm not sure that the article is by itself sufficient to convince people that since their network security can't rely exclusively on WPA, they should, in fact, do their security planning assuming that WPA doesn't work, that they might as well run with wireless security disabled.




« June 2016