The need for semi login for websites
Posted on | November 28, 2009 | 3 Comments
My gmail Id was hacked. Most probably it was at the cyber cafe where I had gone for surfing the internet. Some prankster might have installed keylogger or something. Thankfully, the email id I used at the cafe was not important. But the issue of security made me ponder for a solution for such situations where we are forced to rely on others to secure their computers and networks.
The only thing I could think about is semi login. How about making a provision of logging in with limited powers and access. Similar to linux computers where we are encouraged not to login in with full administrative powers. But instead of having different username, we could have only different passwords. The password entered in the password box should decide whether the user wants to login using full login or semi login. This will ease the users from the hassles of remembering many Usernames.
For example, suppose “xyz@gmail.com” has the main password as “qwerty” and semi login password as “asdf”. When logging in to the the service if the user enters the username “xyz@gmail.com” and the password as “asdf” then the service provider must know that the user wants to login using semi-login. Or else, we can make a option button that the user can select if he wants to use the semi-login functionality so that the service provider is notified abut it.
Consider a situation for a Gmail account. Google has conquered our online world. It is the login for our email, adwords , adsense, shopping account as well as used as an username for third party services like Paypal , etc.
If for some reason the Gmail account has been compromised then all other accounts are also in peril. This all could happen just because we wanted to check a friend’s email forward or a newsletter.
The solution is having something as semi-login. When logged in using semi-login, we must only have access to emails which are pre-decided by the user to be shown when he is in full login. That is, the user can decide what all emails and which senders’ emails can be accessed in semi-login. The user can easily make the “funny” mails, mail forwards and newsletters, ie. the unimportant stuff, accessible via semi-login. He cannot access other mails or change any account information.
The user can decide what all things can be accessed and modified when in semi login. Which mails he wants to access and which mail he can reply to.
Also, in Adsense or paypal we can use semi-login to check today’s earnings and nothing else. No inside data like channels, previous earnings, etc or account access , only the figure that will let the user know how much he has earned today.
Even if the semi login password is compromised, the hacker can only access the unimportant mails. The advantage of semi-login password is that the user can use the same password for semi-login for all his online accounts as it won’t make much difference in the event that this password is known to someone else. As his main passwords will be different from the semi login password, as well as from each other, the hacker cannot cause any damage.
For example, suppose the main password for ”xyz@gmail.com” is “qwerty” and for “xyz@hotmail.com” is “zxcvbn” then we can use a semi login password for both the account “asdfg”.
However, online services must enforce policies to safeguard the main password like not allowing the semi login password to be a sub-string of the main password, etc.
Edit: Unimportant mails would include newsletters, etc. You can also mark any email you receive as unimportant. Also, you can filter incoming mails from friends who send email forwards, etc. Of course, the obvious problem is that what if that friend sends important email. However, usually most people have different email accounts for sending and receiving important emails and for leisure purposes like sending forwards.
Comments
3 Responses to “The need for semi login for websites”
Leave a Reply
Subscribe
-
November 29th, 2009 @ 6:20 am
I think you’re seeing the problem the wrong way. What would determine what mails would be unimportant.
A much better approach would be the implementation of a simple variant of One-Time-Passwords (OTP, http://en.wikipedia.org/wiki/One-time_password) by Google. You’d generate and print out a list of passwords (one-time-passwords) that you’d carry around with you.
When you need to access, for instance, Gmail from an insecure location, you’d select OTP mode and use the first password on the list. You’d do your stuff, then logout. That password is not valid anymore, the next time you’d use the second password on the list, and so on until you’d run out of passwords (requiring you to generate a new OTP list).
This would render any keylogger useless.
Regards,
João.
November 29th, 2009 @ 10:18 am
This would be a great option. But, unfortunately most have more than one account. Many have accounts with different service providers and maintaining OTP’s will be bit cumbersome.
Unimportant mails would include newsletters, etc. You can also mark any email you receive as unimportant. Also, you can filter incoming mails from friends who send email forwards, etc. Of course, the obvious problem is that what if that friend sends important email. However, usually most people have different email accounts for sending and receiving important emails and for leisure purposes like sending forwards.
Also, many people suffer from G.A.S.S – Google AdSense Stats Syndrome ie. checking one’s stats every few minutes. As I have mentioned in the blogpost above semi-login will help these people in safely viewing their stats.
December 20th, 2009 @ 2:41 am
Hi Arun – a very nice and elegant idea. I hope google, hotmail, yahoo and others implement it. It’d be trivial for them to implement it AND extremely useful for us.
/SD