NYCPHP Meetup

NYPHP.org

[nycphp-talk] Relax your password rules

David Krings ramons at gmx.net
Tue Jun 10 16:05:51 EDT 2014


On 6/10/2014 9:26 AM, Jerry B. Altzman wrote:
> The notion of "I don't have FB, therefore nobody should force FB auth" is
> equivalent to saying "we must absolutely positively backwards support IE6".
> This is 2014, sorry, if you don't want any social media accounts, that's your
> prerogative, but the vast majority of everyone else does.

Likewise I could claim that it is incorrect to conclude that just because you 
have an FB account everyone else has or should have one, too. Some sites 
insist on using only FB accounts or publish info only on their FB page that 
requires an FB account to view.
Yes, that is their prerogative, but a pretty dumb move if the point is to get 
people to use your services. And given the security track record of FB I am 
not so sure if I'd call that securing anything.

>
>> And offer more options for the second factor. For example, I do not have a
>> smartphone (yes, saves a lot of money every month). So unless you can figure
>> out how to send an SMS to my landline forget it. In 2014 it should be
>> possible to dial my phone and use voice recognition to confirm a pass phrase.
> In fact, Sprint will do text-to-voice if it detects a voiceline (or at least
> it used to). But once again, we shouldn't aim towards supporting IE6 forever.

Landlines and dialup are still the only means of connectivity for many, 
especially in rural areas. Of course, if that is not part of the target 
audience then feel free to ignore it...and load up the pages with images and 
video.
The numbers only slowly go down in favor of satellite or cell service.

> We're also not optimizing the user experience for those using lynx...
> Remember that you are not the world.
Neither are you...my point is that by picking very specific 3rd party services 
to be used you exclude a good number of folks. If that matters is a case by 
case decision.


>
>>>> accounts most likely only need complex passwords[based on potential damage
>>>> of a compromised account...if a site manager can give out refunds and
>>>> credits for an e-commerce site, obviously you want to add extra security!]
>>> Yes, for these things, you almost certainly want a second layer of
>>> authentication atop the ones above. For these, little crypto keyfobs are
>>> great. If the potential financial loss is large, the client should not balk at
>>> the relatively small cost.
>>
>> I agree, but in best US fashion the industry miserably fails at agreeing on
>> a standard here. Then again, with any of these fobs you are authenticating
>> the fob, not the person holding the fob. For that you'd need biometrics
>> which is yet another can of worms.
> Indeed: you are assuming that the user has both something-you-know and
> something-you-have. Biometrics isn't foolproof either, vis
> http://bbc.in/1oQshE4 (link is SFW).
Agreed, the gummibear trick showed that nicely. Which brings me back to the 
point that if something is so hot that it needs utmost security then the 
public web might be not the place that should be accessible through.

--David


More information about the talk mailing list