Counterproductive password security

May 18, 2008

Certain websites and I have a disagreement of opinion. To wit, they feel that my account is vitally important, so important that they must save me from myself by refusing to let my browser remember the password for me. I disagree with them, because ultimately they are just another website. Sure, it would be annoying if an attacker deleted my account or the like, but in the global scale of things it is not that big a deal.

(I will excuse people being paranoid if they are holding my money; then there is something at stake beyond my activities on their websites.)

In the local scale of things, they win; I have yet to figure out how to override whatever they've told my browser. In the global scale of things they lose, because I now have my login information written down in a plain text file so that I can find it again when I need it. Since I cut and paste it into their login form, I may even someday have a paste accident (no matter how much I try to avoid those). The net result of the website's security paranoia is that my account is now less secure.

(In theory I am sure that the website wants me to memorize my password. In practice, see that bit about the disagreement; the whole situation is not important enough for me to spend that effort. Besides, I picked a completely random password when I set up the account, since I was counting on the browser to remember it for me and a completely random password maximizes security against various guessing attacks.)

Written on 18 May 2008.
« Why we're interested in many ZFS pools
The threat model for website logins »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun May 18 01:01:06 2008
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.