You are here


Identity theft, airport security, and coincidences

Airport Screening

OK, my name is Richard Smith, and it's a common name. My wife's name, however, isn't especially common. The combination of the two is even rarer. A party traveling by air matching those two names is even rarer.

It finally happened. Wednesday. Same flight.

Post category: 

Trying Disqus

I am tired of doing site maintenance - it gets in the way of things I ought to be doing instead.

The only reason I want users to log in is to post comments. I've decided to try one of these all-in-one comment management sites. I tripped over Disqus a while back and now I'm giving it a try.

Post category: 

"Cracking" Passwords

There's been buzz in computer hardware blogs over the past few days about how faster processors (and GPUs in particular) are rendering strong passwords "useless." One experimenter, named Vijay Devakumar, posted a description of his success at cracking passwords, which has been recently picked up by bloggers on

Post category: 

Time - Again - For Trustworthy Computing

Saul Hansell of the Washington Post has posted an article about real time attacks on one-time password tokens like SecurID and SafeWord. The strategy is to steal a user's one-time password after it is typed in and redirect it to a hacker to exploit immediately. The attack relies on Trojan software that has installed itself in the victim's computer.SecurID Card

One time passwords were not designed to protect against this type of thing. Once you have that sort of trojan, there's no way to use your computer reliably. Attackers can intercept what you're doing, change it to benefit them, and you won't know what happened until you look at your bank statement.

The only way to protect against such things is to ensure that your computer has not been hacked. This is hard, since there are lots of ways to attack a computer and not nearly as many ways to protect it.

Post category: 

Managing Your Passwords

In 2009, another blogger posted an article on password problems that suggests 10 hard-to-follow rules.

The author highlights an important problem: attackers can do systematic trial-and-error guessing attacks against on-line sites. She focuses on a Google Gmail problem recently reported on Full Disclosure.

Here's the point: use strong protection on high-value targets. Take the time to protect your major e-mail account, your financial resources, and anything else you really value. If you're going to slack off, do it when registering to post a one-off blog comment.

Let me take a stab at my own list of recommendations.

Post category: 

Revising OpenID for WordPress

Will Norris is working on a revision to OpenID for WordPress. This is good, and I have some observations and suggestions. At the moment the OpenID plugin works pretty well - I have separate logins delegated through domains I own. I routinely log in through OpenID for both routine and administrative activities.
Post category: 

Design Patterns for Identity Systems

These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.


There are four patterns: local, direct, indirect, and off-line.


Post category: 

Password Resetting Considered Harmful - duh!

It used to be that the default password was your mother's maiden name, your SSN, your birthdate, or something like that. Now you have to pick a password, and your 'password recovery' questions are based on those old stand-by questions. So you can still break in to a person's accounts by answering those classic questions.

There have been some interesting recent reports about the use of personal questions for password resetting, and Bob Sullivan has summarized them in a recent posting.

This problem will only disappear over time, as people learn how NOT to lose security credentials.

Post category: 

OpenID Delegation on WordPress

Thanks to Gary Krall, tech director of PIP at Verisign, I have a recipe for "works every time" OpenID delegation with their free PIP service. First, what is OpenID delegation?

Delegation lets you use your very own URL as your identity URL for logging in with OpenID. For example, I can use to log in to web sites. To do this, you have to provide some special statements (a.k.a. magic) in your HTTP files that redirects the OpenID process from your web site to the service that actually does your OpenID authentication.

Post category: 

OpenID Works!

Thanks to the help of Will Norris, one of the authors of the WordPress OpenID plugin, I've managed to get it to work. I will include some notes on using OpenID in a permanent page.
Post category: 


Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer