Ofcom Do Security

[Ian Batten]

On 5 Aug 2010, at 10:51, Brian Gladman wrote:
>
> I REALLY loathe sites that enforce their own ideas on what should be  
> in passwords.

Birmingham Town Hall has a ticket booking system which enforces  
inappropriately strong passwords and, worse, a ten-password "cannot  
change to previous values" history.  The former means that you forget  
your password because you can't use your usual way of deriving one,  
the latter means that when you perform a password reset you can't set  
it to anything sensible.  The net result is that every time I buy a  
ticket I have to do a password reset.  I use Safari's password storage  
mechanism, but as clicking on the "reset" link in the reset mail also  
logs you in, I never actually log in using the new credentials and  
therefore am never offered the chance the save them.  You can only log  
in as part of buying a ticket, so you can't easily immediately log in  
manually with the newly set password so as to get your browser to  
offer to save it.  To get the password into the browser would involve  
buying a ticket, forcing a password reset, carrying it out, completing  
the sale, shutting down my browser, restarting and then going all the  
way through the purchase of another ticket up to the point of  
completion, and then cancelling right at the end.

The end result is that their elaborate password "security" is reduced  
to the password on my email account, which they cannot know the  
strength of, because I am resettting for every purchase.  I've  
complained, but they haven't had the courtesy to do more than forward  
it to their developers.   Guidelines for systems handling sensitive  
personal data or protectively marked material are I think less  
stringent.  It's a classic case of letting the geeks play at security  
without actually thinking about usability issues.

ian