There seems to be an arms race of sorts between myself and a good number of “security experts” at various sites i frequent. It all revolves around my account information.
You see, i trust that the info on my computer, sitting behind several layers of encryption, is actually far more secure than their site. Why do i assume that? Because i know exactly what sort of security i have in place where as i have less knowledge about theirs. i’m willing to believe that the opposite is also quite true and that the administrators of those remote sites believe their site to be far more secure than mine.
The administrators, however, have deemed it necessary to require me to enter my password in, by hand, every time i access their site. Now, since each of these sites required various levels of “added security” involving me typing in a password with both upper and lower case letters, a number, one or more non-alphanumeric characters, plus one or more characters from the original transcript of the Chronicles of Gilgamesh (mac users, please use Ancient Sanskrit), i’m far more likely to record said password somewhere other than my memory. This is where things like Firefox’s auto-complete function is a wondrous blessing since it ensures that those passwords are encrypted and stored on my equally wonderfully encrypted truecrypt drive where any accidentally acquired keylogger is far less likely to get access to them.
The remote site administrators, however, seem to feel otherwise. At first, they simply turned autocomplete off for passwords. A quick greasemonkey script fixed that. Then, they escalated and added calls to the form and page to turn off autocomplete as well. Again, minor issue, and a quick fix to the script was all i needed. That’s when they suddenly went hardball. In the past few months i’ve seen the following:
1) A script that waits half a second after the page finishes loading, then clears the user name and password fields.
2) A drop down username selection box that obscures all but the last three letters of the previous login entry which kinda screws up the auto-fill since it’s missing half of the index it uses to figure out what password to fill in.
3) A script that actually removes the password box entirely, replacing it with a Div that accepts keystrokes and inserts “*”.
4) After the page loaded, a rabid monkey was teleported directly to my keyboard and the only way to abate his foaming, disease filled hurled poo was to use a command word based on my account name and date of joining.
Ok, not so much that last one, but the other three definitely.
i’m honestly not sure i really understand this. i mean, yeah, i can imagine that some idiot logs in to a computer set up on some random Anacostia street corner and doesn’t think to flush his cookies or clear his browser’s cache, but frankly, if THAT was the case, i’d hazard that there are about 80 other issues that this theater wouldn’t actually address (like the fact that the computer is made of cardboard and consists of a guy making “beep-boop” noises when you press the “keys”).
As it is now, i either figure out ways to work around this, wonder why the hell i’m working around this, or open up access to my stored, encrypted password file so that i can remember whether or not i had to add ༼ or ༽ to the password.
Personally, i’d love to find out where these guys live, and go change the locks on their houses. i’d even leave them a nice little map indicating the lat/long of the location of their new keys, and maybe warn them about the bears in the area.
You know, for added security.