FIA_HPU.1 Identification and Authentication in the Harry Potter Universe

Seen on securitymentor2. Somehow, this just appeals to the Computer Security side of me. Of course, this report is absolutely right: they do need a stronger Identification and Authentication Scheme. I do hope they implement the recommendations for the next term… 🙂

This report is for the exclusive use of Hogwarts and no other party is entitled to rely on it. Violators of any part of the legal boilerplate will be subject to the Hyperodious Curse.


Physical security: offices and dormitories

The current password-based access system is inconvenient (blocking legitimate users who have arrived after begining of term), thoroughly insecure, and is being breached almost routinely, placing confidential data at risk up to and including private thoughts of the Headmaster stored in his Pensieve.

The gargoyles which guard the Headmaster’s office, and the portraits which control access to the dormitories, do not maintain a list of authorized personnel. Instead they allow anyone who knows the current password to enter.

Passwords are easy for an intruder to obtain. Possible password compromises include, but are not limited to:

  • Tailgating an authorized user
  • Accompanying an authorized user: incredibly, a student being taken to the Headmaster’s office for discipline will learn the password to the Headmaster’s office.
  • Eavesdropping. Unskilled intruders can easily overhear an entry password by standing near the door in an Invisibility Cloak or by purchasing Extendable Ears, available to the public from readily accessible suppliers such as the Weasley brothers.
  • Guessing. Passwords are allowed to be dictionary words and phrases such as “lemon drop”.
  • Compromise of an authorized user. A user under the Imperius Curse could reveal a password or could enter the premises with hostile intent


  • Gargoyles and portraits should be re-enchanted to deny entry after seven unsuccessful guesses at the password and report the incident to Argus Filch
  • Gargoyles and portraits must be protected against mind-reading spells and trained in Occlumency
  • Gargoyles and portraits should be protected against eavesdropping with an Imperturbable Charm during password entry
  • Gargoyles and portraits should be instructed not to accept passwords from clearly unathorized people, for example students trying to enter the Headmaster’s office. The necessary charms could be derived from the one at the girls’s dormitory which turns the staircase into a slide when a male student approaches.
  • All portals should screen users for traces of Polyjuice potion and evidence of the Imperius Curse
  • Consideration should be given to scrapping the password system altogether and having all portals controlled by wands, which are unique to a given user and could be supplemented with passwords to guard against stolen wands.
  • All entries to sensitive areas should be logged with an enchanted sentient quill