Join 3,422 readers in helping fund MetaFilter (Hide)


No, no, thats my boy scout troupe number!
September 1, 2011 5:06 PM   Subscribe

Multiple password logins. How do they work? Do they work? Why or Why not?

I want to have a login, say "Billy6969". But depending on what password I put in, I want to login to a different account.

So if user:Billy6969 and Password:12345
I am logged into account A.

But if I user:Billy6969 and Password:123456
I am logged into account B.

How can I do this on a Mac, Linux...and shit, even PC (if possible)?

If I can't do this, is there any practical reason why this would be a bad idea?

And no, not multiple desktops.

Thanks mefites.
posted by hal_c_on to Computers & Internet (14 answers total) 1 user marked this as a favorite
 
Machines differentiate by username at a pretty low level for security purposes, so you won't really be able to pull this off. The equivalent, then, is to use two different usernames and the same password.
posted by davejay at 5:10 PM on September 1, 2011


Well rather than asking the machine to not differentiate by username, could the result of different passwords log into different desktops of the same account?
posted by hal_c_on at 5:14 PM on September 1, 2011


Just to make it more clear: one of the most important aspects of security on a computer -- beyond simple access to the machine's functions -- is per-file and per-directory security. Each file and directory (on Mac and Linux, anyway) have an owner, a group and an "everyone". The owner can have permissions, the group can have different permissions, and "everyone" can have different permissions. Like so:

File1.txt
Owner: billy6969 [read: yes, write: yes, execute: yes]
Group: users [read: yes, write: no, execute: no]
Everyone: [read: no, write: no, execute: no]

In the above, the file owner can read, write or execute the file. Members of the group (presumably billy6969 and others) can read the file, but they cannot write or execute it. Anyone who isn't billy6969 or in the group users can't even read the file, much less write or execute it.

Your goal, then, is to have two owners of the same name, and computers just aren't set up for that. You can't log in as a group, so you can't use the group permissions as an alternative user. Even if you could define two owners, they'd have to have different names; otherwise, how would the computer know that billy6969 can execute the file, but billy6969 cannot execute the file...and if both billy6969s have the same permissions, there's no point in having two accounts, since they're functionally the same.

I hope that makes sense.
posted by davejay at 5:17 PM on September 1, 2011


Ah, so you want to type "billy6969", but based on the password, have the computer actually log in as "billy1" or "billy2", so "billy6969" is not an actual user. Gotcha.

I cannot personally conceive a way of doing this without having an alternative login program that translates your abstraction into actual logins...and that program would have to run before you'd logged in, which is what would make it problematic. I actually think it isn't possible, but I'll hedge my bets in case someone else comes in here.

I'm not sure what the purpose of your goal is, although it seems like you might want to make it look like you're logging into your "real" account while actually logging into a "fake" account. If so, you might simply make two separate account names that are extremely difficult to casually note the differences of, and make sure you turn off options that show a list of all possible users on the login screen. So "BILLY6969" and "BlLLY6969".
posted by davejay at 5:21 PM on September 1, 2011


(note that in my previous comment, the first BILLY used a capital i, and the second BILLY used a lower case L.)
posted by davejay at 5:22 PM on September 1, 2011


Amazon does this. It just depends on what's on the backend. Perhaps the username and password are joined together into some kind of digest that references some other username token, which is calculated or derived from the username and password you provide, so these are still treated like separate accounts at the end of the day.
posted by Blazecock Pileon at 5:24 PM on September 1, 2011


davejay's explanation is too simple to be correct. You are identified by your user number. There's nothing, in theory, preventing two user ids from having the same user name. (So user 101 and 102 are distinct from a file system perspective, but both show the name "joe".) From a management perspective, however, it would be a complete and total nightmare. The application poart of the world just wasn't written with that in mind. Small little things would break all over the place.
posted by introp at 5:30 PM on September 1, 2011 [1 favorite]


Are you using this to make your life easier, or to fool someone else? If the important thing is to get the effect, you could perhaps make your password to each account billy6969, then mock up a fake login screen that reverses the user name and password fields, so that the password is on top and displayed in plain text, the user name below and obfuscated.

I suspect that would be near impossible to pull off in Windows, perhaps less so in Mac, perhaps trivial in Linux, and simple for a website.
posted by jsturgill at 6:02 PM on September 1, 2011


You could do this kind of authentication with some modifications to LDAP, I think.

For example, you could build a unique DN (Distinguished Name) from the username and a one-way hash of the password (one-way, so that the plaintext password cannot be recovered). A perfect hash function would deal with collisions.

You're still authenticating with different passwords, but because you have built different DNs from the different password, you are ultimately working with unique LDAP accounts on the basis of the password being different, even if the username that the end user types in is identical across accounts.
posted by Blazecock Pileon at 6:04 PM on September 1, 2011


Are you using this to make your life easier, or to fool someone else?

Ha! Just for me, thanks! Just to clarify, I'm not trying to access inaccessible parts. I just want ONE username that has different passwords.

A different password could either lead to a different account, or just a different desktop of the same account. Regardless of method, I want the effect of a different password to lead to a different screen.
posted by hal_c_on at 6:32 PM on September 1, 2011


The tricky thing is that all current OSes that I know of tie the login name to the account/username.

You want them to be decoupled from each other, but route to an account based on login+password, instead of just login, with password as authentication.

I'm sure in Linux it'd be possible to write a PAM module that would have it pick a different user account based on the password, but I don't know of any out-of-the-box solution--or any solution that wouldn't requiring coding.

Or you could try swapping how you look at it. Have two accounts with the same password; same practical outcome, just changes which box you the "same" thing in between the two accounts.
posted by skynxnex at 6:39 PM on September 1, 2011 [1 favorite]


It would have to crypt() every password on the machine in order to find the UID for the user to double check that the username was correct. Essentially, you're reversing the login process that is usually keyed from the username to find the UID and then check the password. You may not think this is a big deal if you only have one or a few accounts on your machine, but that's not the situation for which people write the PAM/GINA modules that would do this work.

You'd be better off reversing your approach and using different usernames with the same password. It's the same level of (in)security.
posted by rhizome at 9:52 PM on September 1, 2011


You could maybe kind of do something like this using TrueCrypt's "hidden operating system" feature. But mainly, what everyone else has said. It's not impossible to do this -- you could write your own set of PAM modules which did whatever you want -- but I can't think of anything off the shelf that already exists.

You could make it _seem_ as though you were getting a different desktop based on a different password, though. What about a login script that checks for the presence of a USB dongle and switches desktops based on that? Or something that changes your desktop based on whether the time of day ends in an odd or even minute? Or which watches the security logs and switches desktops based on whether you log in correctly on the first try or fail once first?
posted by hades at 9:09 AM on September 2, 2011


What about a login script that checks for the presence of a USB dongle and switches desktops based on that? Or something that changes your desktop based on whether the time of day ends in an odd or even minute? Or which watches the security logs and switches desktops based on whether you log in correctly on the first try or fail once first?

Oh how you tease me.

Tell me more, tell me more, like, does he have a car?
posted by hal_c_on at 10:09 PM on September 2, 2011


« Older Help me think up some fun ways...   |  New puppy house training issue... Newer »
This thread is closed to new comments.