Can a password identify you?



  • Nothing special, but I was in a meeting talking about security on our website and a manager said to me "Why do we need login names why can't you just determine who the person is by the password they typed in?"

    Seems simple enough Dan-O code it up!



  • As long as it is guaranteed unique, then yes, that's all you [i]technically[/i] need. But, if you ever want to identify individual users by anything other than their passwords you do at least need a username associated with the password.



  • to quote my favorite "IM-style" action:

    *headdesk* 



  • What happens when the user forgets his/her password and needs to change it



  • What if the password has already been taken ?

    I'm definitely interested in the message that will be displayed to the user. Will it be - "Sorry, this password has already been taken. Please input another password." ?



  • [quote user="kuroshin"]

    What if the password has already been taken ?

    I'm definitely interested in the message that will be displayed to the user. Will it be - "Sorry, this password has already been taken. Please input another password." ?

    [/quote]

     

    I think the message should be...

    "Congradulations, you have discovered another user's password. Would you like to try it out now?" 

     



  • Not to mention anything that must be tagged with someone's ID (changes in files, transactions, whatever). When you see who did what, you see their password.



  • [quote user="Grauenwolf"] 

    I think the message should be...

    "Congradulations, you have discovered another user's password. Would you like to try it out now?" 

    [/quote]

    Or to be more serious about the problem that was caused  - "Hello Hal !! Good morning. If you are not Hal, please click here.

     Encash your 31843 credit points here."



  • [quote user="R.Flowers"]Not to mention anything that must be tagged with someone's ID (changes in files, transactions, whatever). When you see who did what, you see their password.
    [/quote]

    (to late to edit)

     OK, not everyone would have to see the passwords, neccessarily, not at the user level. And you would probably use some other kind of unique identifier, like the PK. Still, it would be a weird situation.
     



  • [quote user="kuroshin"]

    What if the password has already been taken ?

    I'm definitely interested in the message that will be displayed to the user. Will it be - "Sorry, this password has already been taken. Please input another password." ?

    [/quote]

     For security reasons, you should add

     
    <font size="500" color="red" flash="you betcha">Do not, under any circumstances, refresh the page and type this password into the login box rather than the create new account box</font>
     



  • [quote user="djork"]As long as it is guaranteed unique, then yes, that's all you [i]technically[/i] need. But, if you ever want to identify individual users by anything other than their passwords you do at least need a username associated with the password.[/quote]

     

    It's fine if you don't mind someone coming to a terminal, typing in "skippy" and being logged in as some random user who happened to use that password. Using ONLY a PW would be horribly un-secure.

     Basically, the username-password combo, aside from making the login process much harder to hack, accomplished 2 things:

    Establishes Who you say are (by user id), and that you really ARE who you say you are (by the password associated with that ID). Identification AND Authentication.

    Using only a password would reduce the login process to just being able to guess a random word or set of keystrokes. If you hit, then you are in as someone's random account.

    And that's all aside from the fact that all access/permission/etc is tied to a user-id. 

     



  • There are certain, very strict situations in which using only a password is perfectly appropriate.

     I'm fairly confident that this manager had none of them in mind, however.
     



  • I ll take incompetent management for 200, Bob.



  • [quote user="kuroshin"]

    What if the password has already been taken ?

    I'm definitely interested in the message that will be displayed to the user. Will it be - "Sorry, this password has already been taken. Please input another password." ?

    [/quote]

    I know of an app that works exactly like this - it's a gate-entry-code for a controlled-access area - new users are asked to pick a 4-digit PIN, and if it's already taken they are simply asked for another one (hoping, of course, that they're too dumb to realize that they now know someone else's PIN!)

    Now granted, the controlled-access area isn't area 51 or the pentagon or anything like that, but still.... sheesh!



  • I can think of one kind of situation when this would work:
    biometric authentication

    Techincally, fingeprint/whatever could be consired as password. Sure, it would be slightly more secure to use username as well, but still doable.



  • Actually, this reminds me of tripcodes, which is what 2chan-style image boards use for unique identification.

     

    What is displayed is the encryption of the password. 



  • I can almost hear the HelpDesk call, "When I log in to the system, my preferences keep changing back to some funky color scheme." "Is your password 1234?" "Yeah, why?" <hollering to the IT Staff nearby>"WE GOT ANOTHER ONE!!!!"

    <sarcasm>I like the idea - or, even better assign everyone a number. It's unique and identifies them. Next!</sarcasm>

     

    (Oh and hello, new to this here posting thangie - WTF Rox)



  • [quote user="e.thermal"]

    Nothing special, but I was in a meeting talking about security on our website and a manager said to me "Why do we need login names why can't you just determine who the person is by the password they typed in?"

    [/quote]

    I would relent if I could specify two conditions. 

    1)  I, or the IT department, authorizes all new users so that they can be assigned a password.

    2)  All passwords are 16 character strings of well mixed Uppers, Lowers, Numerics and special characters.

    Oh, yeah...  And the manager who suggested it gets his new password first.



  • [quote user="Buzer"]I can think of one kind of situation when this would work:
    biometric authentication

    Techincally, fingeprint/whatever could be consired as password. Sure, it would be slightly more secure to use username as well, but still doable.
    [/quote]

    Actually, that's an interesting misnomer.  Many people say, "How could you copy a fingerprint?"  Well, a lot of ways.  Current biometric techniques are no more than scanners.  Many tests have been done and a photocopy of a fingerprint (perhaps lifted from a glass window) will pass most systems.  Also, making fake fingers is hardly an issue.  The same processes used to make amazingly accurate face masks can be used for fingerprints.

    Now the real issue is, what happens if somebody gets ahold of your fingerprint?  Do you "change your fingerprint"?  How many times could you possibly do this?  I'd say you'd be SOL after the 10th time...

    Door locks and passwords are made under two important assumptions: if somebody really wants in, they'll find another way; and, the person will always end up losing it and needing a new one.  Biometric identification fails the second assumption.
     



  • [quote user="BitTwiddler"][quote user="kuroshin"]

    What if the password has already been taken ?

    I'm definitely interested in the message that will be displayed to the user. Will it be - "Sorry, this password has already been taken. Please input another password." ?

    [/quote]

    I know of an app that works exactly like this - it's a gate-entry-code for a controlled-access area - new users are asked to pick a 4-digit PIN, and if it's already taken they are simply asked for another one (hoping, of course, that they're too dumb to realize that they now know someone else's PIN!)

    Now granted, the controlled-access area isn't area 51 or the pentagon or anything like that, but still.... sheesh!

    [/quote]

     

    almost as bad as my school's way of identifying lunch accounts, u just enter xxyyy where xx is the last 2 digits of the year ull graduate & yyy is ur # in that grade, mine's xx117

     

    talk about insecure considering all the passwords are taped up on a wall in the cafeteria 



  • [quote user="unklegwar"]

    [snip]

    Basically, the username-password combo, aside from making the login process much harder to hack, accomplished 2 things:

    Establishes Who you say are (by user id), and that you really ARE who you say you are (by the password associated with that ID). Identification AND Authentication.

    Using only a password would reduce the login process to just being able to guess a random word or set of keystrokes. If you hit, then you are in as someone's random account.

    [/quote]

    I think you were on the right track, but missed the mark.

    To put it simply, the login name says who you claim to be.  The password is proof that you are who you say you are.

    Why the distinction?  Because we know everything can't be public (hence the password), but for the same reasons, everything can't be private.  If telling you my name is the same thing as telling you my password, how will I ever tell you who I am?  The login name is used for identification, the password for authentication.

    As for the reasoning, "A password is unsecure because a hacker only needs to discover a random string", it's fatally flawed.  What's the alternative?  If a login requires a username and password, the hacker must now guess two random strings.  Arguably this is more difficult (assuming the passwords are the same length in both cases), but it doesn't solve the original problem.  In fact, the entropy (randomness) of a username is most likely low compared to the password.  How many combinations of last name, first initial can you come up with?  Login names are usually more restricted in terms of allowable characters, and unlike a password, have to be recognizable.  I could remember my password being x87AZl*&, but if everybody had an email address like that, the collection of all your friends' email addresses would suddenly become much harder to remember. 

    So to summarize, adding a login name isn't anymore secure than having a longer password; instead, it serves to identify who you are, saving the password for authenticating that it actually is you.  Hence, allowing some data to be public while leaving other parts private.



  • We have a fingerprint scanner at work, on the door into the 'eletrical closet'. I cut my finger, and couldn't get in.



  • just for the record, I think it was the biggest WTF I have heard come out of management, the next best is classic dilbert, "What do you mean the project is falling behind?  Let's have daily meetings until it's back on track"



  • As for the reasoning, "A password is unsecure because a hacker only needs to discover a random string", it's fatally flawed.  What's the alternative?  If a login requires a username and password, the hacker must now guess two random strings. 

    The thing you seem to be forgetting is the possible existance of many users on the same system. The hacker must not guess two random strings. He must guess a userid and the corresponding password. On a system with no userid, you'd just guess random passwords, until you hit someones account. Granted, if you were the kind of hacker going for a specific person, this would take the same time, but if you just want in, start guessing "1234", "qwerty", "kitty", and you'll be in in no time.

     

     

    (some other guy:)

    talk about insecure considering all the passwords are taped up on a wall in the cafeteria

    Thats because the lock isn't there to keep you out. If you can get to the cafeteria, you are supposed to be able to enter. Obviously :P



  • [quote user="welcor"]

    (some other guy:)

    talk about insecure considering all the passwords are taped up on a wall in the cafeteria

    Thats because the lock isn't there to keep you out. If you can get to the cafeteria, you are supposed to be able to enter. Obviously :P

    [/quote]

    Ive been here for quite awhile welcor i just don't post that often.

    as far as the passwords bit goes...i dont want some1 knowing my lunch account or student id



  • This is a basic security question, and one asked frequently, especially in the biometric arena. It's a bad idea, and here's why:

    You're changing the question that the system is asking. With a username and password, this system is asking who you are, and can you prove it. With just a password, the system is merely asking who you are. Would you use a system that let you have a login name but no password, even if you could pick your username? What happens if the password clashes with someone elses?

     
    In the biometrics arena, this is a much worse problem. If you simply use someone's handprint to identify them, then you are saying "does this handprint match ANY handprint in the database?" if it does match any of them closely enough, then you're in as that person. On the other hand, supplying the username up front means that the handprint is proof - I say that I am this user, and here's my evidence.

     

    In general, authentication is a case of stating who you are, and using 1 or more methods to prove it. These methods are commonly thought of as "something you know" (password), "something you have" (token of some variety), "something you are" (biometrics). The middle entry currently being the strongest, and easily revoked (especially by accident, down drains in the car park. oops). 

     



  • I remember arguments like this on a medical application.

    1. Why do we need a username? We can use their email address.

    That's not a bad idea, but we have clients who include location in the corporate email address. When an employee goes to a new location, he gets a new email address, and we can't associate his medical records with the new email address without significant additional effort under HIPPAA regulations.

    2. Why not have them enter their social security number?

    Management accesses client records by user name. It's not only a breach of privacy to give everyone's social security number to the entire management team, it's an absolute nightmare to try and figure out which nine digit number is the employee you want to review.

    3. Why not use their employee number?

    A username has to be unique. We have multiple clients. Eventually, two different people are going to have the same employee number.

    Each of these suggestions came up repeatedly from the same person (a middle manager) over the course of several weeks. Finally, we just put his proposals on the schedule as "rework login structure", and the much more reasonable client cut the feature during one of the schedule reviews.

    Sometimes corporate politics is your friend.

     



  • [quote user="welcor"]

    As for the reasoning, "A password is
    unsecure because a hacker only needs to discover a random string", it's
    fatally flawed.  What's the alternative?  If a login requires
    a username and password, the hacker must now guess two random
    strings. 

    The thing you seem to be forgetting is the
    possible existance of many users on the same system. The hacker must
    not guess two random strings. He must guess a userid and the corresponding password. On a system with no userid, you'd just guess random passwords, until you hit someones
    account. Granted, if you were the kind of hacker going for a specific
    person, this would take the same time, but if you just want in, start guessing "1234", "qwerty", "kitty", and you'll be in in no time.

    [/quote]

     It's
    not a fundamental difference. Having to guess a user ID of length N and
    a password of length M is just as difficult as having to guess "only a
    password" of length N+M. A "password only" system is only less secure
    if you allow very short or easily guessable passwords, which is bad in
    a userid+password system as well. The real problem is that you lack a
    way to uniquely identify users in a safe way if you don't have user
    IDs.

     

    The reason you use a separate password and ID is that they fulfill separate and contradicting requirements:

    - A User ID must be unique, easy to remember and safe to display publically

    - A password must be hard to guess



  • mmm, my responce would be "Sure but i want to be able to set the password requirements"

     

    password requirments:
    password must contain 2 seperate part, seperated by a single space.
    the first part must be longer then 2 characters. ( ex.   JohnDoe )
    second part must be longer then 7 chracters and must contain atleast one special character or be a alphanummeric combination. (ex. !secret! )

     
    problem solved. 

    We now only have 1 unique password to identify users too :)
     

    disclamer: the requirements where sucked out of my thumb in under a minute)


Log in to reply