We have all been burned by it: the web site you must use — your bank, a government site, something else you really want to use. The worst offenders are those where you have no choice: you must use their web site. You go through the whole process of “registering” and then they drop the bombshell on you: you must use a gibberish username or password so complex that there is no reasonable way a human being can remember it, or some other nonsense of equal uselessness.
Yes, you could make up words for each letter of the random garbage password. Sure, you could write it down so you don’t forget it. You could go to http://random.org and have the computer generate you a list, then tape it to your monitor. But really, why are they doing this to us?
Does it improve security? No. It harms security.
First, web sites are not usually hacked because someone used a brute force attack trying to log in — they logged in using information they already had from somewhere else, or they used an exploit to break into an unpatched system. No system needs to fall to brute force attacks — just install DenyHosts or something else like it for free: three bad password attempts and the IP address is banned until the sysop removes it from the hosts.deny list. And don’t get me started on people who allow outside logins with the root account — people learn to login with a normal account and shell. We get hundreds of hack attempts every day and the first login they try is ‘root’ followed by ‘bob’ and some other junk. Read your system security logs for more entertainment.
Second, ridiculous logins and passwords cannot be remembered: they must be written down. The most profitable way banks are broken into is not by breaking doors or threatening physical violence: it is by reading post-it notes bank managers stick to their computer screens with non-memorable passwords written on them.
Third, very few web sites are worthy of their own very special, unique, just-for-them-alone, login and password. And that is where the real security problem exists: the most common security breach is not passwords that are too easy to break by brute force methods or dictionary lookups. The most common security breach is by password reuse.
Password reuse is what we all do for unimportant web sites that we visit, and which demand that we create a login for them, but which we really do not care about. We all visit 10’s if not 100’s of those. Trojan web sites can be used to snarf up logins, then the mafia behind the trojans can use the data to break into popular web sites — sometimes a person will, for example, use the same password on FaceBook, AOL, and her bank. If they enter that same information in a junk web site, then the mafia can also use it to access her bank, FaceBook, and so forth.
Most people are savy enough they do not use ‘password’ as their password. I have several passwords, made of random characters, which I use for different types of web sites. One password goes on garbage sites that I really do not care about — it is simply kept around to satisfy web site owners who think they gain something by forcing everyone to log in. Another password I use for sites I care about, but which are not really very dangerous, and in a very few places — banks, popular social sites, my personal blog sites — I use a special password crafted just for them. I write these passwords down in an administrative journal because these are important web sites, and if I get hit by a truck on the way to work tomorrow, there are people who will need to use those sites in my absence. The garbage sites could vanish tomorrow and the world would never notice, nor mostly, would I.
I have noticed another interesting thing about the security problem: the web sites which degenerate into this counter-productive policy seem to be mostly sites which are using .aspx technology — Microsoft servers. My bank has even gone so far as to require Flash to be installed on my browser to login, with the idea that measuring how fast I type somehow identifies me better than my login or IP address. Honest. The same Flash that was not available in a 64-bit version to fit my 64-bit browsers on my 64-bit quad core Linux system. They actually required me to uninstall my browser and go backwards to the old 32-bit version to access my bank accounts on-line. For a while Flash was not even allowed on Linux. That is over-the-top unreasonable. It is actually written in some banking policy that they must do that. Flash, the technology that has so many crashes and hacks, that spyware installs ‘updates’ to posing as Adobe. Yes, that Flash, is required to login to my bank.
Freedom of the press belongs to those who own one — I said that years ago. It is still true. If you don’t like a web site you are free to vote with your feet. But it is irritating, and unnecessary, and it doesn’t help security, it harms security. And we should never have that situation in cases where a person has no choice but to use the site. If it is that important, then pass out USB ID sticks or RFI chips in cards with readers instead.