Shostack + Friends Blog Archive


Passwords: Lessons for Japan Airlines from Harry Potter


This is weak authentication in all its glory. The password is shared by every member of a House. It is a static password, changed annually. Moreover, the fat lady’s password challenge never asks students for identity. I cannot recall any incident where a house ghost barred entrance to a student because he was a member of a different house and thus had no business entering. which could imply that facial recognition (biometric) is used. But if the house ghosts use a biometric, what’s the purpose of the password?

So writes Dave Piscitello in “Harry Potter and the Group Password.” Maybe Japan Airlines should pay attention, before someone reports “Airport Passcodes Leaked from Virus-Infected PC:”

Passcodes needed to enter secure areas at 16 Japanese airports and one in Guam have appeared on the Internet after a virus infected a computer belonging to a Japan Airlines Corp. co-pilot, the airline said Friday.

JAL has regulations regarding the downloading of sensitive corporate information to personal computers. However, the airport codes didn’t fall within this category because they are so widely known among aircrews, ground staff, maintenance workers, cleaners and other airport staff.

Oops! Too late. PS to Dave: “I feel a series coming on!”