security

The end of passwords?

August 1st, 2012  |  Tags: ,  |  Leave a comment

My pal Ben Brown (who has known me so long that he remembers a time when I could vote without antiemetics) has an interesting proposal to manage login credentials; Ben begins by describing a pattern that I’ve absolutely used for some infrequent-login sites:

My personal solution to the too-many-password problem is to use completely random, automatically generated password when I create an account. Most websites will allow me to stay logged in forever, and on the odd occasion that I need to log in again, a password reset tool will send a link to your email account that will allow me to login again. This way, I don’t really have a password, but I can always gain access to any account, as long as I still have access to my secure email account.

His solution is to eliminate passwords altogether and email a unique, expiring login link to users when they wish to log in. Read the whole piece (and his followup) for the argument, which I find convincing.

In fact, I used a variant of this approach for SVP, a service I developed because I hate Evite and wanted to invite people to my birthday party in 2007. (After all, most of my friends are too popular and sophisticated to be particularly happy about managing credentials for a one-off site that some curmudgeon made to avoid using the ubiquitous alternative.) When I’d invite people to events, they’d get an email with a link that would log them in to RSVP for that event. Users could set passwords, but the site interaction model was designed to never require them. It was pretty successful on a (very) small scale: I had around 50 invitees/users and probably ten events before I stopped using the service, but everyone who wanted to come over seemed to be able to reply and no one complained about it to my face.

Two almost comically depressing links

November 8th, 2010  |  Tags: ,  |  4 Comments

Roadside assistance

It looks like Eagle, CO might be as bad a place to ride a bike as it is to be a 19-year-old female hotel employee. Apparently, Vail Valley District Attorney Mark Hurlbert is willing to avoid pursuing felony hit-and-run charges against an investment banker who ran over a cyclist and only stopped to phone Mercedes roadside assistance in order to report the damage to his car. His rationale is that a felony conviction would negatively impact the perpetrator’s career.

One might assume that Hurlbert is merely weary of the increasing criminalization of the American public, and that he allowed this (admittedly completely egregious) offense to slide with misdemeanor charges in order to make some ideological statement about the nature of punishment. One would be wrong, though, as Hurlbert has also pursued felony criminal-impersonation charges against two women who exchanged race numbers for a mountain-bike event.

There’s not a lot I can say about this story without using naughty words. However, I would like to apologize to the town of Middleton, WI, for anything negative I have ever said regarding its climate for cyclists. I’ll take antipathy and incompetence over corruption and abject hostility any day.

Cargo cult security

Bruce Schneier points out that the future of in-flight wi-fi is in doubt as a result of the attempted cargo plane bombings on UPS flights from Yemen; while these package bombs did not have internet-enabled triggers, such a trigger exists in the realm of logical possibility, so it’s obviously better to outlaw in-flight internet access altogether.

Schneier notes that this will not prevent any known class of attack (and, indeed, leaves less-sophisticated bomb triggers involving timers and altimeters completely unaffected). Personally, I assume that every passenger and bag will soon have to pass through an electromagnetic pulse, right after the security groping and peepshow.