Many password. So changing. Much heartbleed

So #Heartbleed, perhaps the best software bug ever. I spent much of today checking websites and changing passwords. Fortunately, I use the Firefox password manager to store mine and sync them with the browser on my mobile phone, so I could open it, search for “https://”, and work through the list. I eventually used 30 or so random sequences from, starting with anything that had money attached. It was an advance on my plan, over a decade old, of using the names of Australian cattle stations.

That was fair enough, but I kept running into the same problem – I had to log in, root around in some e-commerce site to find the “change password” link, and then futz around still more to persuade Firefox to save the new password. The champion was probably a ticketabc site where I had to feign interest in a Pharcyde gig to change my password.

The problem that you can’t explicitly edit the passwords is solved with this extension, which also helps with some web sites that don’t flag the password fields properly. PayPal even stops you copying and pasting, to make absolutely sure you can’t use it without passing a typing test.

But this is all kludge. The main problem with passwords is that if they are any good, you can’t remember them. The other main problem with passwords is that if you can think them up, they probably aren’t any good. The other other main problem with them is that the whole life-cycle is so almost.

What I want is this: my Web browser generates a genuinely long and random password whenever I need one, and stores it. It fetches it whenever I want to log in. When I don’t want it any more, it deletes it. If there is some reason to think it’s been compromised, I press a button and the password is revoked and a new one generated.

Seems simple enough, and I was thinking about getting the JavaScript book out and making a browser extension…until I started changing the passwords. The problem is that there are so, so many daft, broken, almost ways of implementing simple password schemes. And wouldn’t it be that bloody horrible Verified by Visa mess that doesn’t either pass or fail the test for Heartbleed, when it is supposedly all that stands between my money and the scum of the Internet?, I’m looking at you.

What I want, then, is a simple standard that allows a Web site (or if you like, anything else using it) to trigger the creation of a password by the password manager, which then stores it for later use, and that provides for the password to later be changed. This must allow for an external device to generate the password if desired, for a master credential, and for the password store to be sync’d between machines if desired. It must also allow for a big REVOKE ALL THE THINGS button that causes all (or a subset) of the stored passwords to be expired and regenerated.

That’s basically an API with five calls:

>makePassword(site, username)

>login(site, username, password)

>logout(site, username)

>deletePassword(site, username, password)

>revokePassword(site, username, password)

and the fifth is really just a delete followed immediately by a make.

Why the hell hasn’t W3C done anything like this? It seems such a basic and useful project compared to the vast effort poured into the semantic web black hole.

Update: Naadir Jeewa objects.

I think he is wrong. Not only is OAuth in the sense of “sign in with Facebook”, i.e. the sense in which it gets used, a bad case of pre-Snowden thinking, it’s also true that it works for me about 25% of the time.

3 Comments on "Many password. So changing. Much heartbleed"

  1. My absolute favourite change password trick so far, other than the typing test one, has been the sites that have a hidden password length limit, but no actual check for the length.

    Sure sonny boy, I’ll let you input a 24 character password, but I’m invisibly truncating it down to unknown size before I hash (hah!) and store it.

    Honorable mention to the site that said it had 16 character password limit, but it was actually 15. (why is there even a limit anyway?)

    Also, the fact that only site I’ve gone through this thus far, has an obvious ‘delete account’ option, is beginning to annoy me. That needs to be in the api.


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.