Boing Boing: Why registration-sites suck

Tuesday, July 20, 2004

Why registration-sites suck

Wired News has a good piece on the backlash against the growing trend of news-sites requiring logins to read their articles, covering automated tools like the Mozilla bugmenot plugin that automatically spoofs your logins to 14,000+ sites.

The point that everyone seems to miss is that no one can possibly keep track of a thousand passwords for a thousand websites, which means that these sites undoubtably contain recycled passwords (admonishments from security experts to never recycle a password are the infosec equivalent of telling people to "eat less and exercise more" -- simplistic doctrine that is vanishingly unlikely to be adhered to in the field).

The more you recycle a password, the higher the likelihood that you will use it in a sensitive context -- a bank site, a message board, an IM client, an auction site -- where someone might impersonate you or even commit identity theft crimes against you.

What's even worse is that while these news-sites are willing to spend the computational cycles necessary to receive your password, none that I've seen use SSL for their login, which means that the NYT and others demand that you send your password in the clear when you sit down at a WiFi cafe and want to read the paper. This is a potential disaster if that NYT password is also a sensitive one somewhere else: it's a case of really callous disregard for user privacy and security. Link

posted by Cory Doctorow at 03:19:18 AM permalink | Other blogs' comments

suggest a link \| defeat censorware \| rss \| archives \| t-shirts \| digital emporium \| podcast feed \| mark \| cory \| david \| xeni \| john
Support Bloggers' Rights! HOWTO: Get a link posted to Boing Boing Boing Boing Mobile powered by Winksite Fark rules! This work is licensed under a Creative Commons License permitting non-commercial sharing with attribution. Boing Boing is a trademark of Happy Mutants LLC in the United States [and other countries]. Stats (About our stats) defeat censorware Policies Our first five years' worth of posts in one file	Tuesday, July 20, 2004 Why registration-sites suck Wired News has a good piece on the backlash against the growing trend of news-sites requiring logins to read their articles, covering automated tools like the Mozilla bugmenot plugin that automatically spoofs your logins to 14,000+ sites. The point that everyone seems to miss is that no one can possibly keep track of a thousand passwords for a thousand websites, which means that these sites undoubtably contain recycled passwords (admonishments from security experts to never recycle a password are the infosec equivalent of telling people to "eat less and exercise more" -- simplistic doctrine that is vanishingly unlikely to be adhered to in the field). The more you recycle a password, the higher the likelihood that you will use it in a sensitive context -- a bank site, a message board, an IM client, an auction site -- where someone might impersonate you or even commit identity theft crimes against you. What's even worse is that while these news-sites are willing to spend the computational cycles necessary to receive your password, none that I've seen use SSL for their login, which means that the NYT and others demand that you send your password in the clear when you sit down at a WiFi cafe and want to read the paper. This is a potential disaster if that NYT password is also a sensitive one somewhere else: it's a case of really callous disregard for user privacy and security. Link posted by Cory Doctorow at 03:19:18 AM permalink \| Other blogs' comments Email this entry to: Your email address: Message (optional):	Boing Boing Sponsored by: Your Text Ad Here Get BB by email: