Let Me In

Posted on 3rd April 2008

The problem with those that get high and mighty about username/password site logins, is that they often use examples where you really do want some degree of protection, not from yourself, but from others. Of the 16 Account Design Mistakes listed in Part 1 and Part 2 by Jared M. Spool, most include good ideas for developers, however, some use examples where the sites are quite right to be obscure.

Take #13 "Not Explaining If It's The Username or Password They Got Wrong", then proceeding to hold up Staples and American Express as the worst offenders. I'm sorry but if I have accounts with companies like that, then there is no way on earth I want them giving hints to crackers whether they got my username or password wrong. Those kinds of sites contain VERY sensitive personal information, not least of which is your credit card information. If Jared is that eager to share his financial information, I'm now wondering if he publishes it on his personal website. Could it be that perhaps the very security he ridicules actually protects him from identity theft?

Another is #16 "Requiring More Than One Element When Recovering Password", where a company requires some form of additional account information other than just your email address. Again this is a company that holds your credit information and by the sound of it some very personal information (such as my phone number). Does Jared post his personal phone number on his website? I doubt it as I assume he doesn't want all and sundry knowing it, thus exposing him to more identity theft.

Don't get me wrong, Jared does list some good thoughts about username/password site logins, but the context in which he uses to ridicule some sites and companies is grossly misplaced. The problem is that the author often thinks only in terms of making life easier for themselves, forgetting that you can also make it easy for those of a more malicious nature too. In all, or possibly nearly all, sites that I have a login for, the login is there to protect my account on the site from abuse. I know there are sites out there that only provide customisations with your login, but I don't use them. Even those that don't contain personal information, I would not want anyone to hack in to. If you're happy to make it easy for some one to login to your blog account and post spam, abusive or malicious content, then fine, make it easy. For the rest of us, we'd rather have some form of protection on the account that makes it a little harder for others to get through.

Comments

No Comments

Add A Comment

Ignore this:
Your Name *
Subject *
Comment *
Link

Some Rights Reserved Unless otherwise expressly stated, all original material of whatever nature created by Barbie and included in the Memories Of A Roadie website and any related pages, including the website's archives, is licensed under a Creative Commons by Attribution Non-Commercial License. If you wish to use material for commercial puposes, please contact me for further assistance regarding commercial licensing.