The insoluble problem of passwords

Sun, 24 August, 2008

When I'm asked to provide a password, I have a system for coming up with great passwords:

  • It's long
  • It's unique to the site
  • It contains some non-alphanumeric characters
  • The alphabetical portion of it is composed of letters that alternate left and right hands, making it fast to type.

Unfortunately, my system is too good for most sites. Even sites for large, should-know-better organizations commit some heinous password atrocities:

  • Alphanumeric characters aren't allowed
  • Passwords are restricted in length, sometimes to eight characters.

Gah! NEVER LIMIT COMPLEXITY. In 2008, we now use "passphrases", and if a user wants to enter a novella, you should let them. The other thing that makes me cringe with an eight-character restriction, is that I have a creepy feeling that my password is being stored in the clear in an eight-character field, no salt, no hash.

The result is that my brilliant system is undermined, and I have a lot of passwords that all stray from the system just enough to make the system useless. So, in 2008, I have a text file called logins.txt, with all my passwords. Well, I did a few hours ago anyway.

Thanks to Gnu Privacy Guard (gpg), it's encrypted. I'm also in the process of moving contacts from GMail into a similar, encrypted file, since I don't at all trust GOOG to keep this information secure (and also since I'm trying to wean from Google's pervasive services - they won't always be the world's tech darling - I'll elaborate more on this another day).

GPG will work great when I need to read my passwords file - one quick command. But writing, say, a new password to the file isn't an "in-place" operation. I'll have to decrypt, edit, encrypt, and remember to delete the decrypted copy - a shell script may emerge to automate this.

Is there a better way to handle this problem? I'm aware of password manager programs, but I prefer a non-GUI solution, and anyway a more generalized solution is better, since I'm trying to keep contacts here also and maybe other files.

On OpenID

I have an OpenID, since it's required for my blog's comment system. Strangely, this is the only software I use that allows OpenID for authentication, which is a little sad. It's a grand idea - basically a single sign-on for the web. Realistically, though, only the Web 2.0 startups seem to be excited about it. Yes, I'd like to see the effort succeed, but I can't imagine people going through the trouble of porting an existing authentication infrastructure to support it. Certainly the banking sites I use, who presumably store my 8-char-max password in clear text in a DB2 in a mainframe, can't be bothered with it.

Update from last week

My socket sprint has gone well. I've written eight socket servers, all identical, but mostly from memory. No longer shall I shudder at a socket task.

About Me

Erik Mackdanz is a software developer in Austin, Texas, along with everybody else.

Links