All posts by moore - 96. page

Passwords are omnipresent, but just don’t work the way they should. A password should be a private string that only a user could know. It should be easy to remember, but at the same time hard to guess. It should be changed regularly, and only passed over a secure connection (SSL, ssh). At least, that’s what the password policies I’ve seen say. People, however, get in the way.

I have a friend who always has the same password: ‘lemmein’. She is non-technical. Whenever she tries to sign in to a system, she has invariably forgotten her password. She tries different incarnations, and eventually becomes so frustrated, she just types ‘lemmein’ and, voila, she is logged in.

I have another friend who is a computer security professional (or was). He has the same issue with forgotten passwords, but rather than have one insecure password, he keeps all his passwords in a file on a machine that he controls, protected by one master password. In this way, he only has to remember the one password, yet machines aren’t at risk.

I sympathize with both my friends, since, off the top of my head, I can easily think of ten different passwords that I currently use, for various systems and applications. In fact, the growth of the web applications (since the address bar is the new command line) has exploded the number of passwords that I have to remember.

I’m not as blase about security as my first buddy, nor as together as my second friend, so I just rely on my memory. That works, sometimes. Often, if I seldom visit a site that requires a password, I’ll always make use of the ‘mail me my password’ functionality that most such sites have. I won’t even bother to try to remember the password.

Sometimes, password changes are imposed on you. I’ve been at places where your password had to be changed every three weeks, and must be different rom your previous three passwords. I was only there for a short period of time, but I’m sure that there are some folks who are cycling passwords (‘oh, it’s one of these four, I know it’).

On the other hand, I worked at a place for three years; I had access to a number of web servers, often with sudo, yet I changed my passwords two times. It was just such a tremendous hassle to try to bring all my passwords in sync. (Yes, yes, we should have had an LDAP server responsible for all those passwords; that would have made changing it easier. There are some technical solutions that can ease password pain, at least within one organization.)

Passwords are even used in the ‘real world’ now. Leaving aside the obvious example of ATM pins, my bank won’t let me do anything serious to my account over the phone unless I know my password.

Passwords do have tremendous advantages. They let me authenticate myself without being physically present. They’re easy to carry with you. Computers don’t need special hardware or software to authenticate a user via a password. Everyone understands the concept. But passwords are really the least of the evils when it comes to authenticating remote users (/entities). They’re easy to pass around, or steal, since they’re aren’t physical. Passwords are either easy to forget or easy to crack.

I guess my solution has been to break up my passwords into levels. For simple things like logging into web applications, I have one or two very easy to remember passwords, or I use the ‘mail me my password’ functionality mentioned above. For more sensitive accounts that I use regularly, computer logins where I’m an administrator of some kind, my email, or web applications where my credit card details are viewable, I’ll have some more complicated password, which may or may not be shared among similar systems. And for other systems where I need a good password but don’t use it regularly, I’ll write it down and store it in a safe place.

Passwords are certainly better than using SSN, zip code, or some other arbitrary single token that could be stolen. But they certainly aren’t the optimal solution. I actually used a userid/biometric solution at a client’s office (for the office door) and it rejected me a very small percentage of the time. The overhead to add me to the system was apparently fairly substantial, since it took weeks for this to happen. For situations where the hardware is available and deployed, biometric solutions seem like a good fit.

No one, however, is going to add finger/eye/palm scanners to every machine that I want to access, to say nothing of various interesting remote applications (I want my travelocity!). Some scheme where you login to a single computer that then generates a certificate that uniquely identifies you (something like xauth) may be the best type of solution for general purpose non-physical authentication. But, as a software guy, my mind boggles at the infrastructure needed to support such a solution. Looks like passwords are here to stay for a while.

One of the most amazing things about the internet is the manner in which it decreases the costs of information exchange. The focus of this decreased cost is often the business world, because that’s where the money is. However, I’m fascinated by the other forums for information exchange that simply wouldn’t exist without extremely cheap publishing and distribution of information. In the past, I’ve taken a look at the web and government budgets, but I recently came across two other activities that I feel are impressive, and exhibit just what the web can provide: freecycling and couchsurfing.

In the past, when I had something (an excess of garden crops, for example) that I didn’t want anymore that was of negligible value, I had a few options for getting rid of it. In decreasing order of personal preference:

1. Foist it on a friend or family member.

2. Put it on the street with a ‘free’ sign.

3. Give it to Goodwill/Salvation Army.

4. Save it and have a garage sale when I had enough items of negligible value.

5. Give it to a thrift store.

6. Throw it away.

Well, now the internet gives me another option: post to a freecycle email list. There are thousands of these groups. I joined the Boulder list, and it has a simple rule: no trading, just giving. 876 people are subscribed to this list. Freecycling is similar in nature to option #2, except many more people will probably find out about your surplus rutabagas via an email than will drive by your house before they turn into a rotting mess (less effort, too–you can send emails from the comfort of your computer chair, as opposed to hauling produce to the curb). In addition to helping you get rid of stuff, these lists also let you accumulate more crap, easily, and without requiring new production. (I don’t know, there may have been freecycle newsletters circulating around yoga studios and health food stores before email took off. Again, the sheer number of people, who by self-selection are interested in giving and getting new stuff, and the ease of posting and receiving the information, means that email freecycling is a better way.)

Speaking of free stuff, a few years I was bumming around down under, and ended up staying with a friend of a friend of a friend of a friend. The free place to stay was sweet, but so was the local knowledge and a friendly face in a strange land. Upon returning to the USA, I decided it’d be great to build a website dedicated to these concepts. Friendster and the other social networking sites give you some of the needed functionality (who’s connected to me, where do they live) but not all of it (search by locality, meet random people). I wanted to call the website ‘findalocal’ and even threw together a PHP prototype before I got sucked into other projects. Well, I was browsing Wired a few days ago, and came upon Couchsurfing.com, a site which does almost exactly what I want, has been around for since 1999, and is much more professionally done than what I would have whipped up. The basic premise is, you offer up your local knowledge to anyone who is a member. You can also offer up other services, not least a place to crash for a few nights. For more info, check out the couchsurfing FAQ. Again, this is a service that would have a hard time without the easy dissemination of information provided by the web.

In short, I think that, although a lot of excitement revolves around the portions of the internet where you can make gobs and gobs of money, plenty of interesting stuff is going on with no money involved. In fact, the ease of information transfer is even more important when there is no explicit economic value. Invoices are going to be sent to suppliers, whether via carrier pigeon or extranet, but getting rid of my old bicycle by giving it to someone has to be easier than just trashing it, or, nine times out of ten, I’ll throw it away. And couch surfing is even more dependent on free information exchange, due to the dispersed geographic nature of the activity.

I re-read the first two books of the Ringworld series a few months ago. Great science fiction–cool technology, interesting aliens, cardboard characters, decent plot. In the second one, The Ringworld Engineers, one of the main characters is addicted to electricity. Seriously–he has a device that directly stimulates the pleasure center of the brain. Niven calls this ‘addicted to the wire.’

Recently, however, I ran across this article: Shocking Treatment for Depression. Sure, sure, it will require a prescription, and it only helps “lift [your] mood.” It’s only for folks who are depressed. And Viagra is only for older men with erection problems.