If you've used a computer then you've been prompted for a password. But have you ever noticed that sometimes you have to enter your password twice and other times you only enter it once. Have you ever wondered why that is? If you think about it logically it's pretty easy to figure out why, because if you enter the password twice you're less likely to make a mistake (i.e. fat finger your password). But if that's the case, then why not always require you to enter your password twice?
The answer has to do with how and when the password is authenticated. The rule is if your password is authenticated right here right now then you only prompt for the password once. If however your password is to be authenticated at a later time, then you should be required to enter your password twice. Let's look at some scenarios.
1. You're logging into your computer. You're password is authenticated immediately upon clicking "Login" so you should be prompted once. If you fat-finger your password, you'll be given an opportunity to reenter your password.
2. You're setting a new password on your computer. Even though you're entering your password now, it isn't authenticated until subsequent logins. So you should be promoted to enter your password twice, to help guard against fat-fingers.
3. Some software requires you to enter your password ahead of time, which it uses to later log you in. Again, since this happens later you should be required to enter it twice.
So that's the rule, but it doesn't mean software designers always follow it. I have seen programs that do not correctly follow the rules.
While on the subject of passwords, I wanted to share another interesting tidbit of info. Obviously passwords are encrypted for security reasons. When you set a new password, the password is encrypted and stored for later use. But I think a lot of people make assumptions about how subsequent logins work. They assume the encrypted password is decrypted then compared against the password entered by the person trying to login. This is completely wrong, in fact it's impossible to decrypt the password once it's been encrypted. So how is it you're able to login? Well the password entered by the person trying to login is encrypted, and then the two encrypted passwords are compared against each other. If they match, then the assumption is made that the two original passwords were the same. (And yes, it is an assumption. It is technically possible for the wrong password to work when logging you in. However, the possibility of that happening are so remote that it's never likely to happen.)
No comments:
Post a Comment