Looking for data to refute crazy client

Hello,

Someone I work for has a strange enhancement request which I do not agree
with, but this person is the boss. I think  in my gut, this is wrong.

*website: * a user management system for secure student data. Clients  are a
little paranoid about passwords and user names getting out.

*behavior:* when you select a user and want to reset his or her password,
the resulting screen shows the user name, but then blanks out the password
which you can only see by printing the page.

Blanking out the password seems silly since you can still see it if you
print it out. Do people agree this is poor functionality? If so, is there
any evidence to support my feeling that this is a bad idea?

Thanks,

Matthew
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

The system should programmatically choose a new temporary password and
should send it to the user, with a note reminding them to change it
immediately. The administrators should not have direct access to the
temporary or user-selected passwords.

Functions that the administrators are able to perform on behalf of
users should be done via their own login credentials, so the actions
can be distinguished from the user's.


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43289


________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

Printing out a password is the most absurd security measure for
password protection--unless you have the power to force the user to
chew and swallow the paper sheet... ;-)


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43289


________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

I wholeheartedly agree with Joshua. His approach is ultimately best
for the users and also save lots of admin resources ("cold hard
cash" in client-speak)


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43289


________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

I wouldn't even store plain text passwords in the DB, normally they
are md5-encrypted so nobody can read them.

They should never be shown, printed or emailed plaintext to anybody,
not even to the administrator.

If the student data need to be secure, make them secure.
Joshua is definitely right. If someone forgot his password, let the
system create a new temporary one-time-login password and send it to
the email address the user registered with. Afterward, force the user
to type in a new password, so that he can remember it.


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43289


________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

I have to agree with Nils on this one. I use to work at a college as
well and rules are changing and continue to as far as how things get
stored but the most important information like SS# and personal
password should never be even stored in a db without encryption. It
isn't even about identity theft either, you would be surprised how
many 18 year old ex-girlfriends try to drop boyfriends from classes
without them knowing or the guy who really wants that girls phone
number to any number of countless scenarios. Colleges see it all when
it comes to that stuff yet many of them seem to have some really old
systems that have little to no protection run by system admins that
have started programing on punch cards and think the system works
just fine.

-Brian


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43289


________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

Unless the password is printed out on a pre-sealed, 1+1 copy paper (the kind
of post-card like paper that most credit card companies use to send you the
passwords), it is totally non-secure.

- Rajesh



On Wed, Jul 1, 2009 at 4:44 AM, Oliver Reichenstein <olo@...> wrote:
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

Totally and completely absurd.
Print? A password?
I'm laughing at the thought.


On Jun 30, 2009, at 9:47 AM, Matthew Green wrote:

________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

Having been a student... and more recently worked in a university, I
know where what sounds like a crazy requirement is coming from.

As far as the university department is concerned, the user doesn't exist
at all, on their system until an admin user creates them (using the year
/ class roll). No email, no system access, nothing.

Now, how do you get the generated email from the system to the student
so they can log in and the change the generated password. You print out
all the users and passwords and hand them out during the first lab. (Not
a joke, this is exactly how Stirling University does it).

Security is usually handled by showing of matric card to the supervisor
to get the correct bit of paper.

Anyone who knows undergrads is fully aware that this is the only system
which can work with any degree of success... It goes against many
principles, but is pragmatically sound.

[Edit : And maybe one day I'll remember to hit reply all! Sorry Nils]

Gk.

Gregor Kiddie
Senior Developer
INPS

Tel:       01382 564343

Registered address: The Bread Factory, 1a Broughton Street, London SW8
3QJ

Registered Number: 1788577

Registered in the UK

Visit our Internet Web site at www.inps.co.uk

The information in this internet email is confidential and is intended
solely for the addressee. Access, copying or re-use of information in it
by anyone else is not authorised. Any views or opinions presented are
solely those of the author and do not necessarily represent those of
INPS or any of its affiliates. If you are not the intended recipient
please contact is.helpdesk@...


.org/help
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

There really should be a standardized way to handle the whole password
problem. Websites all seem to have their own ways of solving it, from fancy
ways to keep you logged in (or boot you out), to locking your account, to
requiring sometimes absurd password strength.

Of course, the contexts are always different, but it would be nice if we had
a place where these types of functionality were documented, so we can pick
and choose from them depending on the security needs. Perhaps a good one to
add for the next edition of "(Interaction) Design Patterns?"

Sooo looking forward to the day when we have an elegant answer to the login
process.

- Nasir
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

You asked for cold, hard research. This is the closest I could come:
http://is.gd/1jSh1

Only $749! Right. But if your client (or one of your partners) has access to
Forrester, you could get in on this.

- N
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

This is a TERRIBLE idea. A mildly sophisticated user—say, someone who
knows how to plug in a printer, or use the "print preview"—can wreck
havoc.

There's some great security stuff at Schneier's blog:
http://www.schneier.com/blog/

On Tue, Jun 30, 2009 at 5:47 AM, Matthew Green<dcartfiend@...> wrote:


--
_________________________

http://www.marketpublique.com
http://www.jonathanpberger.com
718.930.2165
This email is:     [*] bloggable     [ ] ask first       [ ] private
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

My 2 cents:

Matthew wrote:
 website:  a user management system for secure student data. Clients
are a little paranoid about passwords and user names getting out.
***

If that's the case, make sure the site has the best security.
Masking passwords or making them viewable only by printing won't
solve the security issue if it has poorly coded security.


Matthew wrote:
behavior: when you select a user and want to reset his or her
password, the resulting screen shows the user name, but then blanks
out the password which you can only see by printing the page.

Blanking out the password seems silly since you can still see it if
you print it out. Do people agree this is poor functionality? If so,
is there any evidence to support my feeling that this is a bad idea?
***

Ask the question back - so if someone loses their password, a piece
of paper must be used each time?  How many times does a student lose
their password?  It can get really costly if the password requires
more than eight characters, a number or symbol, or some other
constrained criteria.  Users won't remember it no matter what.

Best thing to do is to make sure your solution fits with their
policy.  The actual behavior can be changed according to the policy.
There's more than 1 way to...[fill in the blank]




. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43289


________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

It sounds like a student comes to a customer-service type person and
asks to have their password reset, and they are handed a print-out of
the new password.

In general, I think you are right, users expect that what is printed
is what is shown on the screen. That's why lots of websites have a
link to a printable version, instead of a link that says "print".
It's technically simple to add a printer-friendly print stylesheet,
but users will avoid printing because they expect the screen version
to come out. So you show them the printer-friendly version first,
then have them print.

One suggestion:

1. Admin clicks "Reset password"
2. The next screen says "OK, the password has been reset for John
Doe. Now print the confirmation page for the user. [Button: Print
user confirmation page]"
3. Admin clicks the button, admin clicks print on the print dialog,
hands confirmation to the student.

But more importantly, the client is handing you an interaction design
spec, so it sounds like the client doesn't think of you an
interaction designer, and maybe don't even know what they do. That
means your options are pretty limited -- they probably think
alternate designs or usability testing is a waste of time, and not
acknowledge the validity of any studies you give them.


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43289


________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

FYI md5 is totally cracked. It can be broken in a matter of seconds
these days. Try other forms of 1 way encryption. Salt heavily. If you
are really paranoid, encrypt twice in two different ways.

But a good strong atypical one way encryption should be good enough.
Even md5 should be enough if you code defensively and mitigate SQL
injection vulnerabilities.

Be careful. Many forms of encryption do NOT produce the same value
each time. (Why is a topic of great length) So don't use any old
form of encryption without research.

As for your boss. He is not a security specialist, clearly, and his
ideas are the very reason that security specialists have to exist.
Security isn't always intuitive. Let him know that what he would
like you to do is malpractice. That doing so, and the discovery of
said actions after mass identity theft as a result of it, would
subject you, and him, to legal ramifications. The kind that cost your
company, and indeed potentially yourselves MASSIVE financial damages.

Not to mention it being a potential career ender.


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Posted from the new ixda.org
http://www.ixda.org/discuss?post=43289


________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help

William's response made me think:
it might be worth seeing if you could budget a few hours from a security
specialist to
give a professional opinion.  Even if your boss still regard it as "just,
like, your opinion, man"
it may be a angle to get a viewpoint from someone he/she will see as an
Authority,
as frustrating as it may be to be disregarded as "just UX" and to have to
pull in an outside
source to validate what seems like common sense.

On Thu, Jul 2, 2009 at 5:44 PM, William Brall <dampee@...> wrote:
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... discuss@...
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help