Friday, January 8, 2010

Security Done Wrong

If you know much at all about computer security, and more specifically authentication and passwords, you know that the problem is immensely difficult. You have to deal with the play between impossible-to-remember strong passwords and easily-remembered-but-easily-cracked user created ones. It is not an easy problem to solve and it seems no traction has been made on this in recent years.

I did come across a case where someone has taken security to a ridiculous extreme. I was trying to order some transcripts from the University of Louisville and I haven't been a student there since 2002. At first it didn't seem so bad: I was able to drudge up my student ID number to get my username and then got my password reset. Great, that was easy, now just login and request a transcript... Nope. I have to have a PIN to login to the registration system, not my regular password that is used for everything else. No recovery option available either. Ugh. Grabbed the phone and called the registrar to get it straightened out. The man was very friendly, took my student ID and some authentication information. Good, sounds like he can help.

"Now the PIN is a 6-digit number that you made up when you became a student. If you were going to make a 6-digit number what would it be?"

My mind went blank. Ummmm?! "Maybe it was my birthday?"

"No sir, that is a date." This is when I knew I was in trouble. I tried the 6-digit form of my birthday and no dice.

"I really have no idea what it would be."

"Well then you will have to mail in the transcript request form."

"There's no way of retrieving or resetting it?!"

"No sir it was set by you and we cannot do anything to it."

What a terrible system. If you are a student using the system every semester to register and such (assuming registration uses the PIN) this would be fine. But is it a realistic expectation that I will remember a number I made up 8(!) years ago from a totally different place in my life?

"Sorry Mr. President we can't launch the Earth saving device until we get your identity authentication passphrase! You set it 45 years ago when you turned 18 and it's impossible to recover. Now what is it before humanity is destroyed?"