Comment URLs as passwords (Score 1) 645
Just dealing with the problem of users and long passwords:
The problem of the user finding a long enough password is not hard..
For example, one could use a URL
The one at the webpage I am currently at happens to be:
http://ask.slashdot.org/comments.pl?sid=117247&thr eshold=1&mode=nested&commentsort=0&op=Change
The hard part is remembering it.
What if a system:
1) asks a user to type in just the domain name for the URL they select [in this case, ask.slashdot.org]
2) and then uses a search engine to come up with a multiple choice list consisting of 4 or 5 URLs from that domain and has the user pick one of them
IF the correct domain is used, the correct URL will be listed as one of the choices.
Problems:
A) badguy can figure out the domain by watching for a choice that re-occurs everytime that domain is used
B) The resource, or worse, the domain the URL is pointing to might be removed or no longer point to the same thing
C) user might not have an easy way of remembering what the full URL looks like and will find unsecure ways to remember
D) something I haven't even thought of
Are the problems really that bad?
A) Have the system allow a domain to be used only so many times by the users on the network .. Yes, the problem is still there but it is harder to achieve
B) The system could pretend that it still exists and create URLs that look similar to the one chosen. This solution has some of the same problems as problem A, as well as the fact that badguy can go look up the URLs to see if they exist.
C) The user is not likely to write out a whole URL if the URL is long enough.. more likely, the user will write out the domain and some identifying mark from the URL. With a little patience, perhaps one can even train the user not to write down the domain name
I am just a fool. Please let me know how bad this idea really is.
P.S.
Ah.. Just thought of something else.. Have the server get and display random URLs when given a domain but then save that list and don't change them for awhile.. (I'd say don't change them at all, but then what if a user chooses a domain that badguy has already checked?)
The problem of the user finding a long enough password is not hard..
For example, one could use a URL
The one at the webpage I am currently at happens to be:
http://ask.slashdot.org/comments.pl?sid=117247&th
The hard part is remembering it.
What if a system:
1) asks a user to type in just the domain name for the URL they select [in this case, ask.slashdot.org]
2) and then uses a search engine to come up with a multiple choice list consisting of 4 or 5 URLs from that domain and has the user pick one of them
IF the correct domain is used, the correct URL will be listed as one of the choices.
Problems:
A) badguy can figure out the domain by watching for a choice that re-occurs everytime that domain is used
B) The resource, or worse, the domain the URL is pointing to might be removed or no longer point to the same thing
C) user might not have an easy way of remembering what the full URL looks like and will find unsecure ways to remember
D) something I haven't even thought of
Are the problems really that bad?
A) Have the system allow a domain to be used only so many times by the users on the network
B) The system could pretend that it still exists and create URLs that look similar to the one chosen. This solution has some of the same problems as problem A, as well as the fact that badguy can go look up the URLs to see if they exist.
C) The user is not likely to write out a whole URL if the URL is long enough.. more likely, the user will write out the domain and some identifying mark from the URL. With a little patience, perhaps one can even train the user not to write down the domain name
I am just a fool. Please let me know how bad this idea really is.
P.S.
Ah.. Just thought of something else.. Have the server get and display random URLs when given a domain but then save that list and don't change them for awhile.. (I'd say don't change them at all, but then what if a user chooses a domain that badguy has already checked?)
