stanlemon.net

Rant on Web Security

I think I've reached my breaking point with superfluous web security implementations. I'm not talking about OAuth or OpenID or CAS or any of that stuff. Those things are good and serve their own purpose. What I'm talking about are the various safety mechanisms some websites are starting to use to ensure customer authentication. If you don't know what I'm talking about then check your local bank for starters, because banks and other financial institutions seem to love this sort of thing.

Every website that delivers individualized information or allows for some level of protected customizations comes bundled with a username and password combination. These credentials keep your information and data yours and prevent them from becoming someone else's. Username's and passwords are really a primitive form of validation when you stop and think about it. They're nothing more than a set of two strings that match and the expectation is that the end-user who they belong to remembers them.

As long as I've been developing web sites and web software (almost seven years now) I've used this very basic form of validation to lock out access from some and grant it to others. My rules for these string combinations are pretty straight forward:

• Usernames and passwords are alpha-numeric.
• Usernames are case insensitive.
• Passwords are case sensitive.
• Usernames have to be a minimum of six characters (though I may make some exceptions for older software where I only required four).
• Passwords have to be a minimum of six characters.

Now some developers dress these rules up a little more, they require more characters or perhaps one upper case letter and one number in the password, etc. These requisites are fine, they ensure strings that will be difficult to guess from a bystander and thus ensure a more secure environment for the end user.

One of the earliest augmentations this simplicity I remember seeing was when users began to be required to change their passwords every X number of days. Personally I find this really annoying, but it works nonetheless and adds an additional layer of security to protecting the end-user's credentials. Recently though, I've seen more augmentations - all of which, in my opinion, are worthless and actually make a site less secure.

What specifically am I referring to? Here's a list...

• Virtual Keyboards: Image icons of every letter and number whose order are scrambled. You have to click on each letter or number for your password, only after first trying to find the character. The U.S. Treasury uses this as a method of validation for citizens to access their treasury accounts. Besides being stupid and laborious, it gives anyone looking over your shoulder just enough time to figure out what buttons you're pressing!
• Image Validation: When you register an account you select an image for authentication and if you don't see that image when you're punching in your password you're supposed to call for help. I guess maybe this is designed to prevent phishing, but as a security safe guard it's absurd.
• Phrase Validation: Similar to the above, but with a phrase you designate.
• Separate Username & Password Pages: You enter your username on the first page, and then after submitting that form to the second page you enter your password. What's great about this is that it allows for someone to guess at your username until they get it right, that's especially helpful when you're trying to figure out what an angry family member chose to secure their bank accounts online.

The last one seems to be especially prevalent and is perhaps the most insecure of all the available stupid options for "added security". My error delivery system (in most of my development) when informing the user about authentication trouble is pretty simple, if you enter either your username or your password wrong - I'm going to tell you that you entered either your username or your password wrong. If you're malicious then I don't want to give you a clue that you may have guessed something correctly. If you get both of them right then you either know something or are incredibly lucky.

The multiple pages option is especially irritating to me because of the time it takes to get anything done. My time is precious, I firmly believe that. If you're going to waste it by taking extra time to let me get to the resource you're offering than it's entirely possible that resource just isn't worth my time anyhow.

Now if I'm totally off base and someone has figured out valid reasons for these methods, please chime in - I'd surely love to know what they are...