Thursday, April 26, 2012

idiots in security

Life would be a lot better if they didn't give the job of setting up password protections to idiots. Being able to log in to your bank or credit card company or phone company website to handle business is extremely convenient, but it is also very insecure when you are required to write down your passwords. And that is exactly what many of these sites force you to do because, well, they are set up by idiots.

I use a program called PasswordMaker. The idea behind the program is very clever. I just have to remember a single password and it uses that password to generate unique passwords for each site I visit. It is by far the most secure reasonable solution (the most secure solution would be to remember a different password for each site, but that's impossible). You don't have to worry about a break-in at one site compromising your password at other sites, because there is a different password for each site. You don't have to write anything down or let your browser record anything, because you just have one password. If my computer gets stolen, no one will be able to get into any of my secure accounts from it, and I can easily get it from another computer.

PasswordMaker should be a near perfect solution, but the idiots running these sites ruin it with their stupid and capricious rules on what the password has to look like --it can't be more than 10 characters, it can't have spaces, it has to have a punctuation character, it has to have at least one digit, one lower case, and one upper case letter.

There is no way for PasswordMaker to follow all of these rules for every password. Some of the rules even contradict each other. And these rules don't even appreciably increase security for people who write down their passwords anyway. Everyone knows that most people just use their regular password and then have one or two trailing characters to meet the rules. Anyone making a dictionary attack can just program it for this, and they will find almost everyone's password that they could have found otherwise.

I'm thinking about dropping one credit card just because of these stupid rules which, because of the inconvenience of having to go through their ridiculous "I forgot my password" gauntlet, have caused me to make late payments twice now.