Tuesday, April 6, 2010

Enforced bad passwords

Long ago, I got sick of sites that restrict me to bad passwords, but today I came across another and it has pushed me to yet again explain why it is that you should never restrict passwords without deeply compelling cause.

Today's offender was Boston Coach, the luxury livery service in that was founded by Boston's Fidelity Investments (the legend states that one day, Fidelity's owner, Ned Johnson wanted a cab and couldn't get one; the next day he had his own fleet of black sedans with smartly dressed drivers, trained to treat their passengers like royalty). Anyway, so I wanted to hire a Coach to take my mother and I to a concert for her birthday (I won't say what birthday; you're welcome, Mom). I had to sign up for an account on their Web site. They committed a few sins in the process:
  1. Unless you really need a pseudonym, don't ask the user to create one. Instead, use the email address for logins.
  2. Never restrict passwords unless you are technologically constrained to do so, and if you are, file a security bug with whatever braindead software it was that forced you to (or consider just dumping it).
  3. Test your UI with and without JavaScript support. This sounds silly, but there are plenty of environments where people aren't allowed to enable unsafe browser features.
  4. Never give the user an error without explaining what it is that they did to get it. Two examples came up, here: the password security policy and the number of occupants per car.
To get back to the heart of my concern: the password. I use PasswordSafe, a program originally written by renowned security expert, Bruce Schneier. It can happily generate a very random, long password. For example:

 K1/}"jUCF/byp6( : $1$0ZV5xOu3$iTgccli1bBSykSJxcOrfi.

Notice that this password would be nearly impossible to memorize, but because PasswordSafe stores it in an encrypted file, I just have to remember one, easier to remember password to access all of them. I tried to enter this very password for my account, but don't bother trying to use it... it was rejected. The confusing bit was that the UI informed me that I had not met "minimum password requirements." Wow, if that password doesn't measure up to Boston Coach's minimum requirements, they must spend all day, every day servicing lost password requests!

In reality, what they'd done is refused to accept any password with punctuation (resulting in 31 possible characters being removed from all possible passwords on a typical US keyboard). This is a tragic thing to do to your password security, and a company founded by Fidelity Investments should know better.

Anyway, they should fix their broken software and anyone else that uses such terrible requirements for passwords should get on it ASAP.

Monday, April 5, 2010

Twitter / Buzz: the new news?

Today's XKCD discusses the math behind a tweet out-distancing an earthquake (oddly, I read the comic before I heard about the quake). Later in the day, I found myself using Google's Buzz to post pictures of a fire in Boston. It's now getting to the point that I look to the Buzz map on my Droid before I consult Boston.com for local news. It's not that it's more rational or more considered. It's just a matter wanting to know what's going on now rather than a half hour ago. Sure, I can visit a regular news site and find more detail later on, but there's just nothing like having a few thousand potential "reporters" on the scene.

I suppose the future written by some science fiction authors is coming: we'll all be the on-the-scene "reporters" with actual journalists being the people who surf Twitter, Buzz, YouTube and so forth, the way they used to listen to police-band radio for a story. Once a journalist can tap into your head-mounted cam for a live feed hire you on the spot as a freelance photographer, there will be no story too fast to be fed into the hungry maw of the Internet.