Security through obscurity

September 30, 2015 — Leave a comment

For my next web site, I intend to try something extraordinary special plain weird. I will go down the security-through-obscurity approach to user accounts and logins.

It’s an idea I have had for a while, and I’m sure that it’s been implemented elsewhere in various shapes and forms, but I figured that I will give it a go. And I’m only considering it because the web site I’m thinking of building will not hold any mission-critical, sensitive or otherwise volatile information.

The idea is simply this: Abandon logins and use a unique id/hash/token/whatever-you-want-to-call it. So basically, you go to the website and say “Hey, I want to create an account, here’s my e-mail address!”.

What the website will reply is simply:

Hello user@example.com

We have created an account for you. Go here to start using our service:

http://randomcodemeyerservice.com/223bf8191b494266bdb912d6b292fbee

Yes, the only thing you need to login is the URL. Make sure to bookmark it so that you don’t forget it. And in case you forget it, the service will have e-mailed it to you.

The advantages? No need to login, just visit the site and start using the service. No need to remember passwords. Just visit the URL and you’re off!

The disadvantages? Others can guess the URL and “hack” you. But they are unlikely to suceed for a good while. And if they do, it’s just non-mission-critical, non-sensitive, non-volatile data that they get a hold of anyway. In my case, I imagine something like an RSS feed reader or something similar.

What happens if you accidentally lose your unique URL? Well, the service has your e-mail address, so it can easily send it to you.

For a service where I would like to share data with other people, it would be totally feasibly to generate other unique URLs for those users that will lead to the same account data, but with different access levels.

I don’t know… Could it be stupid enough to actually work? I will try it some time to find out.

No Comments

Be the first to start the conversation!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s