WRITTEN ON September 4th, 2007 BY Ruth Kennedy AND STORED IN Foundation of Trust, Identity, What do we want?, Wibbipedia/MindtheGap
Why do you need to give your postcode if you want to buy a £10 freeview/digi box from Tesco?
Why is it impossible to register for a municipal swimming pool discount card in Southwark without giving your date of birth?
And now that I have clearly completely lost my mental faculties… Which is the least worst course of action when your brain has run out of room to remember passwords and associate them correctly with the appropriate user name: to re-use the same passwords to access multiple web-services, or have sufficient unique passwords written down somewhere?
Come on ninjas, help me out
6 Responses to “Ideal Gov-ipedia Qs”
Shops are required by law (probably in the Communications Act 2003 somewhere) to request a name and postcode from anyone buying equipment capable of receiving a broadcast signal. This is then passed on to Capita and, if the details do not match their TV Licence database, initiates a never-ending series of faintly threatening letters.
I do not think any retailer checks whether the postcode belongs to the buyer, and I suspect that 10 Downing Street (SW1A 2AJ), Broadcasting House (W1 1AA) and Television Centre (W12 7RJ) have an awful lot of registered televisions!
As well as using Password Safe for those sites where *I* care about the security, I use the same username/password on sites where there is no consequence if the security is compromised. For sites with over-intrusive registration or that I only want to use once, I head over to www dot bugmenot dot com to borrow an existing registration.
Question 1 – TV licensing absurdities.
Question 2 – lack of more than a millisecond of consideration of data protection law by the system designers.
Question 3 – use InfoCards in Vista and various open source implementations for other browers ๐
I’m intrigued by the use of online safe-type applications. However, *my* worry about passwords is that these are also increasingly being used for telephone banking and the like. For example, I have to have two separate passwords for my main current/checking account. Telephone banking requires numerics only and also increasingly the asking of a personal question. Of course the temptation (and my personal failure) is to use the same passwords whereever possible.
So please … any broader look at the best way to record and therefore remember passwords.
The real answer to online banking security is to make use of the serious authentication hardware the banks have already created in chip and PIN.
William writes –
The first two are examples of breaches of what we called the principle of maximal anonymity (Caspar Bowden’s idea, as I recall) in our 1999 Better Information-age Government pamphlet “I am not a number”.
On the last point I agree with Marek and bds, I use Passwordsafe, following the advice of a Ross Anderson piece about what sorts of passwords are easy to remember and what sort are easy to crack.
Questions 1 and 2 are unfathomable and unanswerable.
Question 3 is easy.
Password Safe [ passwordsafe dot sourceforge dot net – since your comments don’t seem to like URLs]
Open source, originally from Bruce Schneier (though he is no longer involved), breathtakingly simple. It’s a secure database which holds usernames and passwords, will happily generate random hard to crack passwords on the fly, will cut and paste to wherever you need them, and tidy up securely after itself – and can be carried around on a memory stick if you want to use it on more than one machine. All you ever need to remember is the single password to get into the database in the first place. Though if you can’t remember that you are *really* stuck.