Harry Potter and the Inadvisable Reliance on Passwords

August 3, 2013 at 8:02 pm (books, security) (, , )

From time to time, especially since my last HP post, I’ve wondered about the various approaches to access control that have appeared in the books, especially the instances where passwords are used.

The most, ahem, common one being entry to the various house common rooms.  One thing I’ve never understood is how the system of students knowing the right passwords for entry gets bootstapped?  She won’t let anyone in who doesn’t know the password – we see a number of instances where the Fat Lady doesn’t let someone through if they don’t know the password, the most graphic being Sirius Black’s attack in the Prisoner of Askaban.  But when she changes the password, who does she tell first?  And then how is the password propagated around the house students?

Assuming there is a hierachy of trust in place, maybe she tells Professor McGonagall as head of Gryfindor house, who tells the house prefects who tell the students.  But this passing on can only happen by somehow recognising the members of the house and telling them.  In which case, I’m sure the Fat Lady would be quite capable of remembering students too – so when Harry doesn’t know the password once (as he was late arriving at school), why doesn’t she let him in?  She must know who he is – at least to the same level of trust as any of the students.

In fact, we know that this recognition method can break down anyway – we have an example from The Chamber of Secrets, when Harry and Ron drink polyjuice potion and get into the Slytheryn common room by following Malfoy.

And then of course, it would be entirely possible that someone could slip someone some veritaserum and get the password from them that way.  The only defense in this case being its probably too complicated for students to make.  But has a student never managed it?  In the entire history of Hogwarts?

And there is a very good example, again back in the Prisoner of Askaban, where supposedly increased security practises actually lead to insecurity.  It would have been a much better trade off to just tell Sir Cadogan to just remember Neville’s face rather than have passwords changing every week (or was it every day?) and let Neville write them all down.  In fact, how did Neville pursuade Sir Cadogan to tell him all the passwords anyway, and if he was trusted enough to receive them all, then he could have just been let in on visual inspection only!

Another interesting example of the folly of passwords for entry is Dumbledore’s office.  One can only presume that there is a password to prevent him being bothered by students – it would appear that the staff all know the password.  However, seeing as they don’t seem to worry about saying the password out loud in the presence of students, one would expect that over time the password would become well known anyway.

But he does seem to change it, possibly every year, but again some basic social engineering research gives the clues – Harry realised that Dumbledore’s weakness is using passwords based on his love of sweets.  So knowing that Sherbert Lemon was one password allows Harry, in the Goblet of Fire I think it was, to brute force entrance by working through other sweets until he stumbles upon Cockroach Cluster as being the correct password.

Good job too really, otherwise this highlights the other general problem of hiding access to the headmaster behind a password – if something really serious happens, only the staff would be able to tell him.

And dispite all these precutions we know eventually Hogwards security is compromised by an insider opening an unknown and unexpected channel to an outside place by way of a vanishing cabinet.

No, with all the possibilities available to those in the wizarding world, it seems very, well, muggle-ish to fall back on the use of passwords so much.

But then maybe its possible to over-analyse things too much 🙂


Permalink Leave a Comment

Not so secret secret questions

November 19, 2012 at 7:44 pm (moan, security) (, , )

I’ve always been slightly annoyed with ‘secret questions’ that aren’t secret, and consequently have for ages always made up an answer and if its been for a website I’m going to want to use again (rather than one of of those annoying websites that force you to register just to become a one-off customer of theirs) will keep a record of my answer somewhere.

Well I had classic confirmation of what a waste of time such things can be today.  I had an online account with a large retailer that wanted to know my favourite colour.  So I found something suitably obscure – at the end of the day there are plenty to choose from!

Now I can understand why the use of a second shared ‘secret’ (as long as it really is a secret) might be useful in an online system where you need some kind of assurance that the remote person is who they say they are.  But in this case, my wife was in the store doing something and they needed the answer to the secret question.  Of course, she didn’t even know the question let alone my obscure answer.

Now normally, she would probably have rang me to see if I knew or could find out, but in this case the store assistent said ‘never mind, lets try some’ … and typed in ‘red’, ‘blue’, and so on.  Then he said, oh, I’m not sure what other colours to try … so he rang their main office and explained that a customer was in store wanting to change something, but couldn’t remember her secret question answer … and then they asked to talk to her and asked for some personal details (date of birth, address, that kind of thing) and then promptly told her the answer to the question!

So, first of all, for the in-store situation, it just shows that it was totally unecessary to need the secret question at all – she was there, with account numbers, physical artifacts, personal knowledge, a store loyalty card – they really didn’t need anything else to know who she was – as evidenced by the fact that they were quite happy with all this information in order to disclose the secret answer!

And secondly, if the secret question is to be of any use, then they really can’t just put customer service over security and give it out to anyone who happens to be in the store, confident, annoyed with their systems and who happens to be armed with enough of someone’s personal information to sound convincing!

So – in summary, security is fine, but not at the expense of customer usability.  However, if customer usability just blows holes an any security defenses, and no one seems to mind, then someone should really be asking some serious questions about the need for such security in the first place!  Also, while I’m at it, this also shows that something that can be secure enough in one context (e.g. online transactions) can be totally pointless in a different context (i.e. when the same system is used ‘in person’).

I suppose I also should point out that a security question that a huge majority will answer with, I assume, something like one of only twenty odd values is also a bit meaningless.  So in future, when asked for your favourite colour for a security question – I recommend getting a little more inventive. Just don’t forget to make a note of it somewhere!


Permalink Leave a Comment

Whats your royal wedding name then?

April 21, 2011 at 8:35 am (computers, internet, security) (, , )

Heard an odd thing on the radio this morning – people inventing their royal wedding name by starting with Lord/Lady, using a great-grandparents forename and then creating a double-barrelled surname by taking the street where you live and appending the name of your first pet.

I think they missed a trick here – they should have asked for your mother’s maiden name, the street where you were born and your first pet’s name.  That way you’d have the answers to three of the common ‘I’ve lost my password’, “security” questions …

In fact, why not write a Facebook or iPhone app that asks all these but also creates a “the first”, “the 2nd”, “the third”, etc hashed from your date of birth – then you’d get that too.

And while we’re at it, ask for Facebook credentials and post it to your wall (most people won’t know you don’t actually need to give a site your username and password for them to post to your wall, that Facebook provides federated identity services to third party sites).

Actually I’d be surprised if said app doesn’t already exist … let me know if you find it 🙂


Permalink 1 Comment

Get Safe Online week coming up …

November 12, 2010 at 5:32 pm (computers, internet, security) (, , , , )

Apparently it is going to be ‘Get Safe Online week’ next week.

Well, I’ve recently heard that something like three quarters of all cyber crime incidents – phishing, malware, ID theft, credit card scams, possibly even dodgy phone calls, and so on – could probably be stopped if people followed some basic ‘cyber hygiene’ rules such as can be found on sites like Get Safe Online – www.getsafeonline.org.

So, in the interests of doing my bit, I would strongly recommend having a browse through the site.  In fact, why not get ahead of the crowds and do it today!

Another good place to go for general information, especially about safe and sensible use of online social networks, is the Information Commissioner’s Office – see http://www.ico.gov.uk/youth.aspx.

Couple more resources to consider – Own Your Space – a free e-book download, and Facebook have a security page with useful info.


Permalink Leave a Comment