Harry Potter and the Inadvisable Reliance on Passwords

August 3, 2013 at 8:02 pm (books, security) (, , )

From time to time, especially since my last HP post, I’ve wondered about the various approaches to access control that have appeared in the books, especially the instances where passwords are used.

The most, ahem, common one being entry to the various house common rooms.  One thing I’ve never understood is how the system of students knowing the right passwords for entry gets bootstapped?  She won’t let anyone in who doesn’t know the password – we see a number of instances where the Fat Lady doesn’t let someone through if they don’t know the password, the most graphic being Sirius Black’s attack in the Prisoner of Askaban.  But when she changes the password, who does she tell first?  And then how is the password propagated around the house students?

Assuming there is a hierachy of trust in place, maybe she tells Professor McGonagall as head of Gryfindor house, who tells the house prefects who tell the students.  But this passing on can only happen by somehow recognising the members of the house and telling them.  In which case, I’m sure the Fat Lady would be quite capable of remembering students too – so when Harry doesn’t know the password once (as he was late arriving at school), why doesn’t she let him in?  She must know who he is – at least to the same level of trust as any of the students.

In fact, we know that this recognition method can break down anyway – we have an example from The Chamber of Secrets, when Harry and Ron drink polyjuice potion and get into the Slytheryn common room by following Malfoy.

And then of course, it would be entirely possible that someone could slip someone some veritaserum and get the password from them that way.  The only defense in this case being its probably too complicated for students to make.  But has a student never managed it?  In the entire history of Hogwarts?

And there is a very good example, again back in the Prisoner of Askaban, where supposedly increased security practises actually lead to insecurity.  It would have been a much better trade off to just tell Sir Cadogan to just remember Neville’s face rather than have passwords changing every week (or was it every day?) and let Neville write them all down.  In fact, how did Neville pursuade Sir Cadogan to tell him all the passwords anyway, and if he was trusted enough to receive them all, then he could have just been let in on visual inspection only!

Another interesting example of the folly of passwords for entry is Dumbledore’s office.  One can only presume that there is a password to prevent him being bothered by students – it would appear that the staff all know the password.  However, seeing as they don’t seem to worry about saying the password out loud in the presence of students, one would expect that over time the password would become well known anyway.

But he does seem to change it, possibly every year, but again some basic social engineering research gives the clues – Harry realised that Dumbledore’s weakness is using passwords based on his love of sweets.  So knowing that Sherbert Lemon was one password allows Harry, in the Goblet of Fire I think it was, to brute force entrance by working through other sweets until he stumbles upon Cockroach Cluster as being the correct password.

Good job too really, otherwise this highlights the other general problem of hiding access to the headmaster behind a password – if something really serious happens, only the staff would be able to tell him.

And dispite all these precutions we know eventually Hogwards security is compromised by an insider opening an unknown and unexpected channel to an outside place by way of a vanishing cabinet.

No, with all the possibilities available to those in the wizarding world, it seems very, well, muggle-ish to fall back on the use of passwords so much.

But then maybe its possible to over-analyse things too much 🙂

Kevin.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: