Ofcom Do Security
Ian Batten
igb at batten.eu.org
Fri Aug 6 08:00:35 BST 2010
On 5 Aug 2010, at 10:51, Brian Gladman wrote:
>
> I REALLY loathe sites that enforce their own ideas on what should be
> in passwords.
Birmingham Town Hall has a ticket booking system which enforces
inappropriately strong passwords and, worse, a ten-password "cannot
change to previous values" history. The former means that you forget
your password because you can't use your usual way of deriving one,
the latter means that when you perform a password reset you can't set
it to anything sensible. The net result is that every time I buy a
ticket I have to do a password reset. I use Safari's password storage
mechanism, but as clicking on the "reset" link in the reset mail also
logs you in, I never actually log in using the new credentials and
therefore am never offered the chance the save them. You can only log
in as part of buying a ticket, so you can't easily immediately log in
manually with the newly set password so as to get your browser to
offer to save it. To get the password into the browser would involve
buying a ticket, forcing a password reset, carrying it out, completing
the sale, shutting down my browser, restarting and then going all the
way through the purchase of another ticket up to the point of
completion, and then cancelling right at the end.
The end result is that their elaborate password "security" is reduced
to the password on my email account, which they cannot know the
strength of, because I am resettting for every purchase. I've
complained, but they haven't had the courtesy to do more than forward
it to their developers. Guidelines for systems handling sensitive
personal data or protectively marked material are I think less
stringent. It's a classic case of letting the geeks play at security
without actually thinking about usability issues.
ian
More information about the ukcrypto
mailing list