Password : a simple solution to a hard problem (opens in new tab)

(loy22.blogspot.com)

1 pointsloy2215y ago2 comments

2 comments

2 comments · 1 top-level

ynoclo15y ago· 1 in thread

This could work if you are always forced to enter the full password to start a login session. The "PIN" password's hash could be generated at that point and held in protected memory (e.g. by a root process); it would go away on logout, as well as after some small number of failed attempts.

As to whether it's a good idea, that's debatable: if you want to solve the problem of being prompted for an admin password many times to perform tasks, a better answer might be to prompt once and get some sort of authorization ticket which allows the user to do a particular task without entering a password until the ticket expires.

loy22OP15y ago

Thanks for the feedback. Security and user experience is always a matter of balance. I was seduced by the idea of having a strong password, but I think the current implementations discourage it for a regular use. From what I understand the only alternative under Ubuntu is to disable the prompts altogether, which is really not recommandable. Windows 7 has a nice way to handle it, I wonder if it is secure enough.

j / k navigate · click thread line to collapse