[thelist] Usernames and Passwords

Bill Moseley moseley at hank.org
Tue May 1 12:12:55 CDT 2007


On Tue, May 01, 2007 at 04:36:03PM +0100, Lee Kowalkowski wrote:

BTW -- 
> I think email address alone (as a synonym for username) should be your PK.

Not primary key.  People can change their email address.

> If someone gets their password wrong, which user is this recorded
> against?  If you wanted to lock out a user (perhaps due to repeated
> failed authentication attempts), which would it be?

All.  email addresses are unique at any point in time.


> > Often the application sends emails to users so everyone
> > needs an email address in the database.  People don't have to remember
> > a separate "login" if email address is used.
> 
> True, but they do need to remember which email address they used.

True.  And their password.


> > If someone can gain access to the database (to see the plain-text
> > passwords) then security is compromised regardless if passwords are
> > encrypted or not.
> 
> Yes, security on your system is compromised, depending on what an
> attacker is after, they will probably go straight for the data itself
> rather than passwords, but if people tend to use the same email
> address and password on many systems, security is compromised for all
> the other systems too.  Now, is that completely the user's fault?
> Maybe ultimately, but your once-loyal users aren't going to be too
> happy about that.
> 
> I think "security is compromised anyway" is a feeble excuse for
> storing passwords as plain-text.

Well, I need to spend time digging up that research paper I read a few
years back.  Their findings were that overall some tight security
measures on the server side ended up making the system less secure due
to the user compensating for the bother of the tighter security.


> > One problem is that in this setup passwords (and account
> > confirmations) are sent over email, which is not very secure.  So, if
> > someone can sniff the user's email they can see their password.
> 
> Yes, and people tend not to delete their email completely.  Let the
> user choose their own password over an SSL connection.

They can.


> > I'm not sure if that's more likely a risk than someone walking by
> > their office and finding their "post-it" with their password written
> > on their screen or just using their browser with the password saved.
> 
> No, but that's not your responsibility, and should not be in your
> arsenal of excuses.

The user is 1/2 the security system.  You can't ignore what the user
might do.



-- 
Bill Moseley
moseley at hank.org




More information about the thelist mailing list