2019-01-05

A comic about password safety

This 1966 comic below is a perfect illustration of what not to do to validate a password.

Context: Our heroes are fleeing the state police in a German-speaking dictatorship and are trying to reach a dissident network. Click for original size.




Common sense, amirite?


 This is an English translation (mostly by artist Miriam Korver) of a page from "QRN over Bretzelburg", a graphic novel in the "Spirou and Fantasio" series. It was originally published in 1966.

The comic mocks a bad password management practice that seems obvious: When you ask strangers for a password, don't give them the password and ask them to make sure they already know it. Common sense, right? And not only that, but it predates personal computing, so you'd think it's old hat, right?

And yet, to this day, it is still common to have web site that send the password along with the page's Javascript, using a function like:
if user_typed_password = "Secret_P@SSW0RD!" {validate = true; }
Looking at the page source with Ctl-U is all it takes to reveal the "secret".

Also very popular: After validating the password, the authentication page appends "&login=true" to the URL, and that extra parameter is what passes for access control. Want to access the site? Just paste that string after the URL!

Thank God, this type of amateurism becomes increasingly rare.

Don't be like the bungling dissident in that comic. Do real authentication!




No comments:

Post a Comment