My docomo cellphones have several "passwords". They don't properly explain them, and they don't give me a good reason to remember which does what, and (the real killer), they are all "PIN" in format -- "Personal Identifying Number".
- One is for logging in to the phone to use it as a phone, if you choose to have a PIN for that.
- Another is for getting into the settings like your e-mail address or the phone number you are using.
- Another is for accessing e-mails you have decided to save in a "secret place". (I think. I don't use it, so maybe I'm remembering wrong.)
- Another is for getting onto the Internet if you want to pay through the nose to do that.
<sarcasm level="alert" />
Sure. Right. I'm sure the number 7738 identifies me. And about ten thousand slightly technical types who sometimes amuse themselves by looking at numbers upside-down. And 7734 uniquely identifies about a hundred thousand guys who get amused at getting to say naughty words where "no one will know".
<sarcasm level="off" />
4-column PINs are so weak that, if I could try your bank account once a minute for a week, I'd get in.
The gory details:
0000 to 9999 is 10,000 possible PINs to choose from.You can't do that at an ATM, of course. The guards would get suspicious. (And that's also why the ATM eats your card on the third bad try.)
One try a minute, 60 minutes an hour, 24 hours a day, 7 days a week is
1 × 60 × 24 × 7or 10,080.
But you could do that from the network, if the bank didn't disable your account on the third bad try.
8-digit PINs are a bit better. It takes at most 10,000 weeks, which is what, (10,000/52) about a hundred ninety years?
ATMs now use full touch-sensitive raster screens with on-screen keypads. They could easily shift from using hard-to-remember, mostly-meaningless PINs to using relatively easy to remember words for the shared secret function that allows you to use your ATM card.
Words. Or even full pass-phrases that you could change regularly and still have a chance to remember. Like:
- "cherry ice cream" in the summer.
- Change it to "roast turkey wings" in the fall.
- And, for the week of your anniversary, "loves them skooks" (for a reference to an ancient Popeye episode).
Microsoft Windows 8 has a place to disable password login, but it seems to entirely disable passwords when you do that.
I looked for an auto-login setting like you can get on Macs and Linux OSses, but I sure couldn't find it. Maybe I'm missing something, but Why-The-Friendly isn't that option right out in front?
Why entirely disable passwords ever? Isn't that a major SNAFU?
(Situation Normal, All Fouled Up. Normal for Microsoft, just like the money-magnet bureaucracy it started as and still is. Money is like pus -- it collects where the festering wounds in society are, right?)
Some people still talk knowingly about getting rid of passwords entirely. They don't seem to understand the difference between a passphrase and a password. Zero, except the user isn't as surprised that a passphrase is long. And you collect all your really long esoteric, unguessable keys into a keystore protected by a single passphrase.
("cherry ice cream" is a passphrase, if you must. Not a really good one, but better than "7738".)
Any secret token system is a secret token system -- sort-of equivalent to when the guys on your block agreed that you had to say, "The north wind blows foul." to get into the clubhouse.
Religious tokens are different, by the way. If you understand the theology well enough to be able to remember words used in certain contexts, they are definitely not hard to guess. But they are not really designed to be hard-to-guess. They aren't (supposed to be) used by some mystical system to identify/authenticate believers. They are supposed to have meaning. Lots of meaning. Deep, important meaning. Meaning that helps the believer to find his or her own way into the system of belief -- although not entirely unguided.
Kind-of-like the how password to the boys clubhouse being "Girls have cooties!" would self-identify boys to a certain extent, but later lead them (through reverse psychology) to a greater truth.
The password you use to log in to your computer should have just enough meaning to allow you to remember it, and not enough meaning for someone else to guess it. Plus-or-minus a bit, depending on whether you want your spouse/partner/sibling/co-worker to be able to remember it, too, and so forth.
Many banks are resorting to one-time-pads stored in a little device that looks a little bit like a cheap calculator. These are almost useful. Except that the user doesn't have a lot of choice.
A one-time-pad is a list, like on a pad of paper, of a lot of hard passwords, and the user is supposed to know which to use when. Maybe you cross out the ones you've used in the past and always use the next one. The bank also has a copy, and crosses the used passwords out on its copy, too.
If I could generate my own list and give it to the bank, that could be very good.
The current state of the art, however, is to depend on the (third-party) one-time-pad manufacturer to produce said lists. I do not like bringing third parties into the transaction.
Anyway. Back to the title of this rant that went too far afield --
I want to be able to log in from the keyboard via a short password, kind of like the gesture you use on some smartphones.
And when I plug my phone into some sort of network for some maintenance, I want to have a more difficult password for it, or maybe some automated key token exchange.
In the one case, I'm just a phone user.
In the other, I'm an administrator.
Different roles. different stuff going one. Different ways to log in.
With the phone, this could be done with basic user ids and passwords, to a certain extent.
Yes, my phone runs whatever they call the LIMO distribution of Linux now. I'm not motivated enough to get in, so they things they do to discourage me from getting in so far have kept me out. That's not quite fighting fair with the GPL.
When my desktop PC screen saver locks the screen, I don't want to use the password I use on the Internet.
Slightly different roles, different login, is what I want.
I should get motivated enough to start working out a way to do that, to set up multiple ways to log in to Linux, depending on the device or access path I'm using to log in.