Hacker Newsnew | past | comments | ask | show | jobs | submit | evgeny0's commentslogin

I like the idea from a technical point of view, but I doubt it would make much of a difference in practice, because most home users log in with administrator accounts anyway. So do most developers. Only the rare, security-conscious power user would typically log on with a restricted account and even then.


Only Windows users or developers regularly login with administrator access.


Are you joking or did you used to be a phreaker? That is hardcore! +1


No joke, though I'm not an old phone phreak (sorta...). It's just like remembering music - every number sings its own 10 note song.

At least it was until my cellphone stopped playing back DTMFs for stored numbers. SIP and quiet dialing have almost killed the music.


Love it! To take it further, AT&T could choose to pay more to NOT have Verizon notified.


Donated.

Thank you for opening up the online world to me, back in the days when just trying to connect to the Internet was a bit of an adventure!


+1, but I'd stop mentioning it after the first time (unless of course you're just doing this as an experiment and aren't really interested in selling the stuff)


Full-size image: https://dl.dropbox.com/s/2pa7akochkgsnos/IMG_0988.JPG

The blocks are similar, but not identical. If you look closely you can clearly see that the line lengths are different.


Who on Earth said startups were easy?


The problem is not being "a bit of an ass" (embarrassing yourself), it's being "a bit of bullshitter/scam artist" (cheating others).


Your point about the salary is valid - stating the salary does create some problems. However, not stating it creates much bigger problems.

It would be relatively rare that you advertise for a senior developer and end up hiring a junior one (when you had no intention of hiring a junior at first). It would be much more common that your job ad is ignored by the really good developers and instead you have your time wasted by those who are underqualified.

If your existing employees are paid below-market rates that is a latent problem in any case. Eventually they will figure out that they're underpaid. Even if you don't advertise salaries some of your competitors will.


But the random username / random password / client-side SSL certificate is excellent security.

The SSL certificate is, but not the random username. That's just a maintenance hassle. A username is not a secret - that's what the password is for. The random password isn't so great, either, because it pretty much forces you to write it down and then it just becomes a (poor) version of the SSL certificate. It should instead be a strong password that you can actually remember.


It should instead be a strong password that you can actually remember.

I agree that in theory a strong password one can remember is more secure than a randomly generated password that you have to write down.

However in practice, people just choose easy to guess passwords, or reuse the same password everywhere. That's a larger security problem, so the random passwords are more secure in practice.


Most really secure VPNs I've used have use a SecurID[1] token and PIN, instead of a static password.

[1] http://www.rsa.com/node.aspx?id=1156


I've been using an extranet site recently that calls you, using Twilio or something I guess. They have my mobile phone number.

You enter your username and password on the web form and your phone rings a couple of seconds later. You are asked by a recording to type in your PIN. When you do, the HTTP request is completed and you are logged in.

It's very easy as a user, and seems quite secure. The username/password/PIN are all quite weak and easy to remember, but in conjunction with the phone call, it's fairly strong.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: