http://www.bofh.org.uk/articles/2008/01/29/the-authentication-tarpit.rss en-us 40 Piers Cawley Practices Punditry <p>Authentication sucks, no two ways about it. Each mechanism introduces more problems.</p> <p>Question: with Nokia’s LifeBlog mobile app, does the user enter their password each time, or is it saved away in some profile some place?</p> <p>If the latter, then have the server generate some password for the user. It could be unique to this interface, or simply a hash of the hashed password you already have. Have the user obtain this password by navigating to a web page where you authenticate the user by whatever means you like, and have them enter that password in their profile.</p> Tue, 29 Jan 2008 08:14:27 -0600 urn:uuid:61ebf9b9-a080-4308-b68f-7f1cdd6688c8 http://www.bofh.org.uk/articles/2008/01/29/the-authentication-tarpit#comment-1201 <p>Apparently that&#8217;s what Flickr already do and it looks like it&#8217;s going to be what we do too. It&#8217;s just really bloody annoying.</p> Tue, 29 Jan 2008 09:00:49 -0600 urn:uuid:26a421bc-1a49-416d-8f3e-d529e57b92e0 http://www.bofh.org.uk/articles/2008/01/29/the-authentication-tarpit#comment-1202 <p>@Sam, Nokia&#8217;s do save the password, not sure about other devices. Flickr have approached this problem too and use a separate password for <span class="caps">APP</span>.</p> Tue, 29 Jan 2008 09:04:08 -0600 urn:uuid:53b6dcb9-3e89-479c-a9f7-973ccbb7a993 http://www.bofh.org.uk/articles/2008/01/29/the-authentication-tarpit#comment-1203 <p><span class="caps">GAAAAAAAAAAAAAAAHHH</span>!</p> <p>This profession would be a damn sight more enjoyable if people didn&#8217;t insist on making the same bloody mistakes when tackling well-known problems again and again and again and again.</p> <p>If medicine was like this every operation would start with a rediscovery of anatomy from first principles&#8230;</p> Wed, 30 Jan 2008 02:32:05 -0600 urn:uuid:ca987bb4-fd22-413b-838b-75f79d1f0e63 http://www.bofh.org.uk/articles/2008/01/29/the-authentication-tarpit#comment-1204 <p>It&#8217;d be a damned sight more enjoyable if dodgy decisions didn&#8217;t get baked into hardware by mobile phone companies eager to jump the gun, thus forcing the rest of us to implement the broken solution ad infinitum.</p> <p>The flickr style workaround is probably the least awful proposition given where we are now, but sometimes you just have to despair.</p> Wed, 30 Jan 2008 08:25:22 -0600 urn:uuid:ca05e558-393c-4e69-9070-2af6885dec18 http://www.bofh.org.uk/articles/2008/01/29/the-authentication-tarpit#comment-1205 <p>I use 1password, but there are still a few passwords (or them with small site-oriented variations) all over the place. This is partly because I just got 1password from the recent MacHeist, but also because I don&#8217;t like the idea of only being able to sign in to certain places from one computer (or specific computers, because I think there&#8217;s a way to have a central store).</p> Thu, 31 Jan 2008 13:55:10 -0600 urn:uuid:e98d8086-e6fd-474e-8a42-8105c1a99969 http://www.bofh.org.uk/articles/2008/01/29/the-authentication-tarpit#comment-1208 <p>I use 1password + .mac keychain syncing, so I get to use it with all my macs. As I no longer own any computers that don&#8217;t run <span class="caps">OS X</span>, this is good enough for me.</p> Tue, 05 Feb 2008 02:22:00 -0600 urn:uuid:a375d819-acc3-4b51-a373-8a949aebef8e http://www.bofh.org.uk/articles/2008/01/29/the-authentication-tarpit#comment-1210 <p>Why send the authN creds to the server at all?</p> <p><a href="http://1raindrop.typepad.com/1_raindrop/2008/04/a-claim-by-any.html" rel="nofollow">http://1raindrop.typepad.com/1_raindrop/2008/04/a-claim-by-any.html</a></p> Tue, 22 Apr 2008 11:37:10 -0500 urn:uuid:9bc90b87-2629-4a54-bcbc-65569489290b http://www.bofh.org.uk/articles/2008/01/29/the-authentication-tarpit#comment-1400