Subject:
|
Re: PW validation
|
Newsgroups:
|
lugnet.admin.general
|
Date:
|
Mon, 24 Apr 2000 03:25:48 GMT
|
Viewed:
|
3178 times
|
| |
|
|
In lugnet.admin.general, Richard Franks writes:
> I'd be happy with a user-responsible password for membership logins
> (ie 90% of membership use including posting privilidges), but with
> authorisation through a LUGNET-validated password for more intimate
> services (ie financial). I think Todd suggested that 2-tier password
> scheme already?
Ya, sorta... But not so much two different states of logins as two tiers of
passwords which would both be required (only if you wanted it that way) before
you'd be considered actually logged in. In other words, you could give two
passwords (one strong, one weak), leaving one in a cookie permanently and
putting the other in a cookie only temporarily.
When might something like that be useful? Say you'd like to log in from work
during the workday, but you don't want to leave yourself logged in while you're
away from the keyboard (at lunch, in a meeting, in the loo, etc.), but for
practical reasons, you don't want to type a full-strength password every time
you log in.
The two-password combination would allow you to log in "halfway" using a
first password which would go into a first cookie on your machine. You could
leave that there 24 hours a day without worrying about abuse because it would
be useless to anyone without the other half. Then, when you wanted to log in
for real, you could use a second password (this one could be really simple and
weak and easy to remember) and this would go into a second cookie on your
machine. You'd want that second cookie to stay only as long as you were at
your keyboard -- then when you logged out, only the second cookie would be
deleted.
In other words, think of it this way: Instead of having two passwords in
order to log in, you have two _halves_ of a single password -- kind of like
the medallion in the first Indiana Jones film.
BTW, speaking of two- or multi-tier login states... There won't actually
_be_ a change-password facility per se... Instead, there will be an create-
new-password and a delete-old-password facility. It's important that there
be both because passwords are like keys: You can lose a key, but you tend
to have a back-up key just in case. So in that spirit, you'll be able to
give yourself any number of passwords that you want -- and delete old ones
(if you want) after your newer ones have "taken hold" in your mind and you're
absolutely positive that you don't need the old one anymore. A side-benefit
of having multiple passwords is retaining the option to later add login
attributes to the passwords -- i.e., you use password A to do simple things
(maybe from the public library or at work) and you use password B to do
complex things (say, only from home -- if you want that kind of separation).
Another benefit of multiple passwords is this: No matter how hard or how
many times you tell people never ever to give out their password to anyone,
people still sometimes do. If they're going to do it, it's best to give them
the benefit of the doubt and assume they're doing it for at least what they
consider to be a good reason. Thus, if they needed to give out their password
temporarily to, say, a relative helping them do something on their behalf for
whatever reason (I can't think of anything off-hand but I'm sure it'll come
up), they could actually create a new password just for that and then destroy
that password afterwards (say, the next day) -- all without having to
compromise their "real" password. And that's a benefit that happens purely
for free with zero extra coding, once you have the ability to add and subtract
passwords from a list.
--Todd
|
|
Message is in Reply To:
309 Messages in This Thread:
(Inline display suppressed due to large size. Click Dots below to view.)
- Entire Thread on One Page:
- Nested:
All | Brief | Compact | Dots
Linear:
All | Brief | Compact
|
|
|
|
