Slashdot Mirror
Password Resets Worse Than Reusing Old password
narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"
'The city you grew up in and your mother's maiden name can be derived from public records.'
I don't know if you can find the city that you grew up in in public records, but I know that in Minnesota, I can get anybody that get your name, date of birth, place of birth, mother's maiden name, father's name from just a few clicks on the 'puter. (for free)
Many folks put other personal details on their blogs or other places online and it doesn't take much to find quite a bit about their personal lives. Add that with just a touch of social engineering, you can get a bunch of data about your target.
Even if the questions are secure, many times the mode of delivery/reminder is not. I don't know how many times I have had to reset/get a password renewed by asking all those stupid questions on a secure web page just to have them resend a password free text to my yahoo account. These aren't important sites to me, but I still wouldn't want anybody snatching this data.
This preference method has flaws too. I change my preferences often. So it may has some good points, it looks rather like a marketing gimmick to me. How long would it take for your likes and dislikes to be sold to the spammers?
Even worse is that some of those system are freagin picky too.
You may know the answer. But it may be case sensitive, and fairly picky. "Whats your favorite food". Is it Curry, curry, curry chicken, Curry Chicken, chicken, Chicken?
I got locked out of my bank account because of that BS once (it wasn't a password reset though, it was a 2 step authentication, so it asked that on TOP of the password)
Fooled them. My first car was a Chevy!
I came up with a standard set of bullshit 10 years ago. I use it to this day. By the way, my first pet was named cfeadr3.
Bridgekeeper: Stop. What is your name?
Galahad: Sir Galahad of Camelot.
Bridgekeeper: What is your quest?
Galahad: I seek the Grail.
Bridgekeeper: What is your favourite colour?
Galahad: Blue. No, yel...
I am the richest astronaut ever to win the superbowl.
In most cases being able to reset password with a question like "what's your mother's maiden name?" is worse than making your password "12345".
If you can read this, I forgot to post anonymously.
I just use the current month and then the year.
This is what usually happens
Although some people I work with write all of their passwords down and keep it under their keyboard or in their desk.
Only changes 1 character everytime.
1LuvMyDog!
1LuvMyDog@
1LuvMyDog#...
People actually enter their real information? I just put a password that I know well.
If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
For every web site that asks for a password I randomly generate one.
If they have the audacity to ask for personal information, I randomly generate that data too. What frustrates me is that now I have to store a series of name-value pairs - because some of these web sites insist on randomly asking me to confirm my identity on occasion with these profile questions.
What frustrates me even more is that most people are stupid enough to give random / anonymous web sites such personal info.. What if one of the questions was 'what is your VIN? What's your SSN'??? Would people ignorantly post that data too??
If the website requires a credit card, use this information for credentialling. If it's a community web site, use email responses - if the email is hijacked, the owner should be able to see the flood of change-password emails. I never understood the value-add of such personal-info bio-metric questions.
My bank uses a PIN in additional to the login. This actually makes sense to me - as PINs are generally easier to remember than my 10 digits random char-lists, but moreover it's at least honest about the purpose of these extra fields - and doesn't dupe people into leaving their pants down when the DB gets hacked one day.
-Michael
I recently bought a domain+hosting space from a well known site, one that I don't ever recall buying domains from in the past (even searched through years worth of emails - nothing), and when signing up for a new account I was unexpectedly greeted with "that email address is already in use".
So I did went to the password retreival page, entered in my email address and it asked me the stupidest hint question (for me) ever: "What was the make of your first car?", it didn't make sense at all because I still haven't bought my first car!
To do something right, you often have to roll up your sleeves and get busy.
Many websites allow you to use your own question, rather than a preset one. "What is the movie you'd most relate to your high school career?"
"What was the name of craziest teacher you had?"
Better yet, "On Tuesday mornings, which newspaper did you always use to cut out little robot people?"
Unlike most people, I have an excellent memory of what passwords I use. I often forget what password I set, but, if I input the wrong one, I try another one until I get in...
Seriously, I sometimes put in for a secret answer something that does not correspond with the question being asked. :)
Comment removed based on user account deletion
It's pretty hard for a virus to read what's beneath the desk. Not impossible if the virus can control your employer's security cameras, but difficult.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I hate when sites *require* one of these stupid "security" (hah!) questions. It's bullshit. So what I do is that I enter one of a small set of (strong) passwords into that space that I don't use anywhere else, so that on the very improbable chance I don't remember a password for a site, I can use one of those. Or if I don't care enough, I'll just use the same actual password, particularly if it's something not important.
No duh. Who in their right mind thought having simple secret questions, to reset passwords, as a good idea? Especially when MySpace and the like contain a bunch of information people willingly put up online.
Birthdates aren't secure for password resets since people aren't afraid of letting others know when their birthday is. Like, "Hey, it's my 21st birthday today!" on their social networking blog.
Zip codes aren't secure for password resets either. It's not too hard to find out where someone lives, with a bit of investigating.
Secret question answers might be listed on one's social networking profile.
Just lie on these questions! Put in answers you would know, but aren't factually correct.. =)
Simple solution..
-Myke
These things are generally used for very low-security applications. My bank doesn't use them, stock trading sites don't use them, etc. And in many cases it would still be hard for a bad guy to take over your account this way. For instance, they may send you an email every time the password recovery feature is used on your account. A well designed site won't actually let you recover your old password, it will generate a link with a hash code in it that allows you to pick a new one; so the bad guy can't find out what your password used to be (which would be especially scary if you were in the habit of using the same password for lots of things), and if it's an account that you use frequently, you'll also find out quickly that something is wrong, because your password will no longer work. And I would guess they also have a limited number of times you can guess your dog's name wrong. But okay, suppose someone manages to get access to my amazon.com account this way. Is it really that horrible? I suppose they can set up a new shipping address, order some CDs, and have them sent there. So I just turn around and call my credit card company, and they reverse all the charges.
The typical slashdot user is really into using high-tech toys in sophisticated ways, but for the average person there really are severe usability issues with maintaining login and password combos, and these "what was your first pet's name" questions are a a not entirely unreasonable attempt to make things easier for that type of user. My mother in law visited us recently for a few weeks. She's had a history of dysfunctional relationships with her Windows machines (viruses, etc.), so I got her started on Linux. Her main application is that she plays an online scrabble game (not the famous facebook one). She'd been unable to use her virus-infested computer for a long time, so it had been a long time since she'd been able to play scrabble. I got her set up on a spare linux box in the family room, and the very first thing she wanted to do was get scrabble working. Well, she just couldn't remember her username and password for this server. Tried a bunch of things, no luck. She was bummed out, too, because she'd had a high rating, and creating a new account with a zero rating meant it would be hard for her to get games. It would have been a lot better, from her point of view, if she'd been able to tell them her dog's name and recover her password. Who the heck cares if it leaves her vulnerable to having her scrabble account taken over by evil Russian hackers with handlebar moustaches?
All of this might seem ridiculously easy to handle to us, but I could easily imagine myself having the same problem 10-15 years ago. It's not obvious to her how her email is nested inside her yahoo account, her yahoo account is inside her browser, and her browser is inside her OS. It's not obvious to her that the username and password she uses on yahoo are different from the ones she uses to log in to her linux account.
Find free books.
Exactly how excellent is your memory, then? This kind of corner-case made me reconsider best-practices password security.
"And very few preferences are recorded in public databases.'"
Yet.
"And very few preferences are recorded in public databases"
Not for long if APML usage kicks off..
MilkMiruku
Yes, it is available through public record. But that isn't enough! What if your siblings like to play pranks on you, or if your mother is trying to get you to move out of your basement?
How do I protect myself from THEM?!
I was surprised recently when my back asked for all this type of information (i.e. childhood friend, first school), but didn't have me confirm a single field. There was just a single text field for each question. God help me if I fat-fingered one of the answers. Was my first school All City Elementary...or All City Elemntary? OH CARP!
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
The first and obvious is that those "reminder" pages usually draw from a limited set of possible answers. What's your favorite color? If you're a man, you know about 6 ("peach" is no color, it's a fruit!). So, and this gets us to the second problem, keep trying, they usually also don't have limited amounts of attempts. Yellow, blue, green, red, black, white... you're prone to stumble upon the right one eventually.
The worst reminder question I ever had was "what's the last 4 digits on your credit card?" Besides giving away CC info, you can't even dodge it by entering a bogus answer to throw crackers off (because my favorite color could well be "toast"), you HAVE to choose one of 10,000 possible answers.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I have a fake mother's maiden name that I use for online forms (as well as offline forms where I feel the organization in question has no fucking need to know the correct answer). I have a fake first car answer, a fake best friend answer, and a fake city where I was born. I use the same ones consistently for all my password reset questions.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
Is this really that much of a security issue? The new password is sent to your registered e-mail address, and only if you log in with the new password will your old password be changed. Otherwise, your password remains unchanged. So, unless the e-mail is sniffed in transit, or your e-mail account has been hacked, this shouldn't be an issue.
a 1969 Pontiac GTO, wait, you did not read that!
Politics is Treachery, Religion is Brainwashing
Yeah, that's what I want to use for a card with no spending limit, a datum easily discovered through public records.
I finally got hold of a real person, and he insisted I use my mother's birthday. I insisted that I would not. He finally had to get permission from a supervisor for me to use a random four digit string.
I understand, insisting on an easily remembered string probably reduces the number of support calls to reset pins, but at what cost?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I had to be clubbed on the head to realize this obvious universal truth:
The answer to your "secret question" doesn't have to have anything to do with the stated question.
I got upset at my bank because they only had four questions they'd let me use. Oldest sibling's name. (only child?) First pet. (which one?) Town you grew up in? (which one?) favorite color (don't have one). The really crazy part is these were ALL questions. The bank will randomly challenge me with one of those questions.
After yet another challenge lockout, the rep kindly informed me to just treat the secret questions just like another password field, and put in whatever else you'd like for another password. I could even use the same answer for all the questions.
d'oh. That's easier simpler it looks.
It gets better. The "random" nature of the challenges was bugging me. The rep then said do you want to just make it ALWAYS challenge you? do it! Much better. I need consistency more than the random chance things are simpler. It always sends me looking for my password list when a forum or something I normally visit daily I miss for a few days and it logs me out. Having to enter the password for something every time you use it, and having to use it frequently, is much better for memorizing these things.
I work for the Department of Redundancy Department.
My solution is to append a 3 digit number I memorized to my answer. For example ford657 or fido657.
I would think it would be easier to find out my preferences from looking at my Facebook page than it would be to determine my mother's maiden name, best friend's name or what my first car was - you won't find any of that information spelled out clearly on facebook, but you would be able to look at my "Interests" to see what type of music, tv or foods I liked or view my pictures and see plenty of photos of me in art galleries and raves, but none at sporting events, for example.
Plus, as everyone knows, a multiple choice test is much easier to pass by answering randomly than a something where you have to fill in the blanks.
The opinions in this post are ficticious. Any similarity to actual opinions, real or imagined, is purely coincidental.
So what's the definition of "password reset"? I'd started off assuming that it refers to one of those "I forgot my password" thingies. But the few times I've used one of those (usually helping a friend get a new password, actually), the result has always been for the site to email a new password that was random and unpronouncable, plus a link to change the password.
Are there sites that actually set your password to one of these personal-info strings? If so, that's incredibly demented behavior on their part. I'd think seriously of not using that site any more, if possible.
But I was disappointed that TFA didn't seem to define the "password reset" phrase. So I have to admit that I don't know what he's talking about. And I'm curious, because I've found that stories on new security problems have this way of quickly becoming relevant.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
> The city you grew up in and your mother's maiden name can be derived from public records.
I grew up in Wei9Iequ. My mother's maiden name was ga4EeliY.
Or, if you insist on something easier to remember, make it Tanelorn and Gloriana.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
My wife's business website was routed to a porn site for three days a couple years ago. They transferred the domain from her account to their own account with another registrar, and pointed it to their own DNS servers.
They accessed her account by, you guessed it, compromising her primary email account using the "secret questions". As it turns out, the perpetrators knew all the right answers, because they were her ex-husband and his apparently-vindictive second wife.
They had unfettered access to her email account for over a year while they plotted this bit of nastiness. Such activity is a felony where we come from, but they moved out of the country before charges could be pressed.
Needless to say, my wife uses a bogus set of "secret" answers that even I don't know. Not that she's not trusting or anything... ;-)
Ask your doctor if getting up off your ass is right for you! -- Bill Maher
What do you mean "yet"?
I bet there are a LOT of preferences that could be deduced from the records on your grocery card.
The only good thing is that you do NOT always have to fill out the form. They'll take out a new card, swipe it, then give you a form to send in later. If you don't fill out the form, they don't care. They'll get that information if you ever use your credit card and that shopping card together. Some also let you enter your phone number instead, which once again ties things to your identity (unless you use a specific fake phone number...).
Of course, it's not hard to find loopholes here that still let you maintain some level of privacy. But you have to be careful.
Of course, if you want to be sneaky, keep that blank card unaffiliated with your identity, then offer to let someone else use your shopper card when they're paying by credit card. Should make things interesting.
Personally, I avoid getting the cards entirely if I can't save some privacy. I know that I pay more, but I'm not having my life entered into a database for a $1.25 discount. I'm convinced that people will find ways to systematically abuse this data in the future, and I don't want to find out how they will do that.
See How NOT to use 'secret questions' about the bad authentication design of an Australian government web site.
you had me at #!
I've always answered question1 with the answer to question2 in order to throw things off. I usually don't forget my passwords, so it never really mattered to me. however, in the last year or so, one of my credit card's website started asking me those questions even though i had entered my password...really pisses me off.
..that people might actually give an honest answer to questions like 'mothers maiden name?'
And what about 'first pet?' - I never had a PET as such, my first computer was a TRS80
I did have a C=64 which was a direct descendant of the Personal Electrouic Transactor
Those questions are just prompts, you are't expected to provide a answer that is correct, just the same as what you originally typed in.
And then they send you the NEW password to your Email address. If you used a SECURE email account in the first place, rather that a hotmail, yahoo, or gmail address, there should not be a problem.
In order to gain access to your Bank of America account over the phone, they ask some security questions to try to confirm that it's you. One of these questions is which branch you opened your account at. Unfortunately, when B of A bought the bank I opened my account at, they changed the record of where it was opened. So now, they expect me to provide a false answer to answer their question 'correctly'. I pointed out to them that if they expect me to lie to them here, there's no reason to expect me to tell the truth anywhere else. Nobody there seems to understand that the precedent it sets would destroy their trust relationship with customers, and I spoke to everyone up to the office of the President.
-------
I write political short stories at http://klurgsheld.wordpress.com/
Couldnt login! Was trying to login to the wrong username (who shared my name), and the guys secret question was "lager?". Of course the answer was "yes". :/
That probably makes me guilty of all kinds of nasty shit by accident :P
3laws: No freebies, no backsies, GTFO.
And they're set to disable scripting.
Neither password reuse nor password reset questions are as bad as passwords that expire.
Seriously, everybody knows you pick one password then increment the number on the end. To make matters worse, companies will often shove network drives down your throat via the domain policy, that, once your password changes, lock you out of everything. Security through inconvenience of your authorized users. Great!
Question everything
http://www.ravenwhite.com/iforgotmypassword.html
Join up with some dodgy site and they harvest your mother's maiden name, pet's name etc. then thy use that info on a site you care about. It doesn't matter if the snswers are bullshit, so long as they match.
Engineering is the art of compromise.
Comment removed based on user account deletion
That the perception does not match reality is of lesser consequence for the site admin.
Engineering is the art of compromise.
I always use an answer which is memorable, but completely irrelevant to the question. For example:
QUESTION: What was the name of your first school teacher?
ANSWER: The Handle from a Power Mac G3.
Disclaimer: this is just something I made up off the top of my head. It's not in use. If you try to use it to steal my identity, you're bonkers.
Those using pirated Tinysoft signatures(TM) are a real threat to society and should all be thrown in jail.
I can remember using decent systems that allowed me not only to create a response, but also MY OWN CHALLENGE QUESTION. Even my bank allowed this. Is it foolproof? No. But it addresses the main point of the article. I used to hate the "what was your first car" question since I don't have a car, never have. And lets be honest, most slashdotters don't have friends. There have been plenty of great security articles on /. over the years not to mention book reviews. I don't need advice from a magazine for managers.
I took a look at the preferences site. I think that any one of my co-workers that are well aquianted with me could access it easily via those preference questions. My initial thoughts regarding this idea is that this is not a secure method of resetting a password that has been forgotten.
Joe Moyle
Two other related problems:
1) Browsers remembering passwords for you. Because of speed-dial, I don't know my girlfriend's cell number. Same concept applies. Everything works fine until you have to reinstall the OS then you're foosed.
2) Frequent mandatory password changes with strict requirements. Just how many random alpha-numeric sequences can the average person remember? Naturally people write these passwords down somewhere near their computer and voila: Password is next to useless. If someone breaks into the office, chances are good at least one of the employees has a password in their desk.
I never use the city of where I grew up or my mothers maiden name but something made-up or similar. For example, if I grew up in Minneapolis in my system I'd put Miniapple or something stupid that I could remember. Putting a city you wish you grew up in would work also. Something that is totally fake but that you will remember. For my mother's maiden name I use something similar to my grandmothers middle name. As I've been doing this consistently for years I feel relatively secure but unless I suddenly develop amnesia I can recover my forgotten passwords using this made up information. You could easily just say your mothers maiden name was "Banana" or something nonsensical so long as you used that all the time in order to remember you'd used it.
There are lots of good solutions to designing a sound Q&A-based authentication scheme. Here's a white paper that covers the field (warning: registration required):
http://tinyurl.com/6reduc
Password reset questions don't work for me because I refuse to give out the kind of personal information they ask for. If they force me to pick a password with so many restrictions that I can't pick one I'll remember, then if they want me to have access they'll just have to reset my password manually.
I often don't like the choices people make, but I like the fact that people make choices. That's why I'm a conservative.
http://penny-arcade.com/comic/2006/7/12/a-wider-perspective-on-flavor/
Many, however, are recorded in marketing databases :-p
...but my password is always ); DROP TABLE user_accounts;
The game.
I use this to generate passwords. Since one master password yields different outputs for each parameter (i.e. slashdot, hotmail) I'm confident I won't forget a password, so I'm safe typing gibberish into the question fields.
Support the FairTax
I've got a great work around.
In fields like "Mother's maiden name:", just enter "mothersmaidenname".
Not derivable from any of your public records, and nobody would ever guess it.
Try it.
Support the FairTax
That's the same combination on my luggage!
The days of the digital watch are numbered.
Some woman giving a 401K presentation at my work was talking about their website and how they have the question/answer fall back for when you forget your password. She said not to use a question with a simple, possibly well known answer like "What's your favorite color?" I piped up with my answer, "Fish!"
The point is, just because the question is constant, the answer doesn't have to be, it can basically be a second password.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Passwords were invented as a way for the user info to be secure.If everywhere something enforces that a password should be of n char length and it should have this many special chars and numbers, mostly users will come up with something that they know too well or are comfortable in remembering. If every site comes up with trying to enforce these password rules, either the user goes with one password everywhere that he logs into, or he doesn't have any other alternative other than writing it down somewhere, rather than committing this to memory. The point is, if he loses the device or slip or whatever, where he writes down all this info .. what is he supposed to do ? Create another user ?? That seems absurd. The password strategy is something which has to be changed in time.
OR is it too late ??? By way the things are moving, it seems its too late.
I haven't seen very many of these lately, but some while ago there were a bunch of those online memes like "What's your pornstar name?", "What's your rapper name?", etc., where you put in stuff like the name of your first pet and the street you grew up on into a form to come up with the screen name you should use as a pornstar or something. On occasion there's some CGI code that produces a somewhat-randomized answer using your input as the seed. The intent is for you to cut-n-paste the sometimes-humorous answer into your LiveJournal or Facebook or MySpace for your friends to giggle at and possibly follow up with answers of their own.
Have you ever noticed that many of the questions those things ask you are the same things that websites use for "secret questions"?
I just fail to comprehend the point of these so-called secret questions. Semantics first, the questions are just not secret, Its the answers that are. Also, if someone has forgotten the password that they have been using, how in holy hell can they possibly remember what the 'secret' question was?? Also, people who are somewhat paranoid about security will almost always give some wrong answer to the question which they can be sure cannot be guessed by anybody who knows them. And there lies the problem. Passwords are used more frequently than these questions. So if a person has forgotten their password, they sure as hell can't remember what answer they had given. I think the time is ripe for a radical change in the way we authenticate to these machines.
(when they let you make up the question) is to set the question to "No password hint for you!" and then bang in random text for the answer.
repost of comment: 'passwords are bad use asymmetric keys' on Tuesday August 12, @08:07AM (#24566319)
the copy-paste, then the amendment:
The solution to authentication is something like the IronKey (a hardened USB drive for storing passwords) but with asymmetric crypto.
So you would go to Gmail, gmail would send a challenge that goes to the browser. A library on your browser would send the challenge to the USB device. The USB device would respond by signing the challenge asymmetrically, and that signature would route back through the browser to Gmail. Then you have 1 authenticated session until you destroy it. For sake of convenience imagine the implementation as using PGP -- public key, private key. Gmail has the public key, your USB device has the private key.
This is great since you could read your webmail on a friend's computer, or post Slashdot comments without leaving behind a persistent authentication token (barring a fake logout screen). Or there could be a keylogger on your home computer but it wouldn't be able to scrape persistent passwords and pass those on.
The only reason that humans don't use asymmetric security is that we're too stupid. Otherwise if we wanted high security we would be looking at screens of cyphertext and reversing the one-way function (a^b=c) in our heads. Given that we're too dumb, why not do not put our authenticator on a device that goes on a keychain with our other keys? (And you could make a backup just like with your other keys.)
[...]
-- amendment --
- no I'm not talking about a simple USB drive. That's why the IronKey is dumb since a rooted PC could mirror it.
- the usb device could have all sorts of fancy stuff like LED screen or PIN, i.e. it's not just a flashdrive as I said, it does public-private key crypto -- you can't read all its private data by plugging it in. the point is to get support for asymmetric authentication and allow the free market to provide the level of extra nuisance consumers want.
- 90% don't want this, which is good, happy for them, I'm part of the 10%. So the legacy symmetric password support wouldn't go away and the 10% who want asymmetric passwords on a hardened low complexity (complexity is the enemy of security -- that's why your PC is as leaky as a sieve) device would have that option.
- i like bullet points
- proof-of-concept on a smartphone might be helpful.
If you need text styles to communicate then you don't have a message.
It really helps if you're not being a 'clever' smartass-- references to the cultural canon like 'What is the Answer to Life, the Universe, and Everything' or 'To Be, or Not to Be' are going to be guessed by a passing hacker faster than 'Who was the last person to sleep with my mom?' (Answer: me).
Is your hometown, by any chance, Quahog RI?
The little guy died in 1982. I wonder how hard it would be to figure that one out, especially as he had a rather obscure foreign name and a four-digit number too. Yet another uninteresting story. Move on!
Beauty is in the beholder of the eye.
What a stupid summary. There's absolutely nothing wrong with password resetting. The problem is password security questions or password "hints" or whatever they're called. Whenever I encounter those, I pound on my keyboard until the text field's maximum length is reached, hoping that's sufficiently random and long enough to thwart any brute force or crib-based attacks. It's so bad sometimes that not only do sites require you enter this information, but they also have ridiculously asinine limits on maximum password length and question/answer length. It doesn't matter whether you choose a strong password, if that can be broken by something as insanely weak as an honest answer to one of the 'security questions' that you're provided with on most sites (though some sites let you specify a custom question). Whoever thought up that one was not the brightest crayon in the box, and has no business doing anything with security applications. They may have had the best of intentions, but took a lot of the ideas they've heard from the security field and applied them poorly, which is why you only let EXPERTS design security applications. This is a lot of theater and nothing more, and poor implementation is the classic amateur mistake.
These are the same people who put plain-text passwords in a database or text file and let you "retrieve" your password which they've conveniently stored, unaltered. Sometimes, if they want to feel really clever about themselves, they might upgrade to un-salted MD5. Yay. There needs to be an industry standard system for web applications, or whatever else, designed by someone who knows what they're doing. Don't roll your own security suite. You're most likely not smart enough, even if you think you are. I use Solar Designer's phpass for cryptographic hashing in my web applications, and he has several other good pieces of software that are relevant to the topic.
The process I use for password resets goes like this (starting from the very beginning):
1. user goes to the registration page for my website
2. the user is given guidelines on password strength, but these aren't enforced, because it's their own ass if their account gets compromised (though, if there were any risk to said compromisation, then I would impose strengthening measures)
3. the user provides an e-mail address which must be legitimate (I'm not too keen on this myself, since it's none of my business what anyone's e-mail is, and sites requiring e-mail for registration are annoying, but, if you want any semblance of security, this is probably the way to go)
4. in the back end, the user's plain-text password is converted to salted MD5 or bcrypt (bcrypt for Linux; bcrypt is native to OpenBSD and Openwall Linux) through UNIX crypt()
5. the account is not activated until the user visits a link sent to their inbox, based on a cryptographically secure random confirmation ID (20 bits SHA1)
6. the user forgets his password
7. the user visits the password reset page on my website, inputs their e-mail, and clicks reset
8. a confirmation e-mail is sent to the address on file, complete with a link to a web page on my site with a secure cryptographically generated IP as a GET variable (20 bits SHA1); no password is generated until the link is clicked (or typed in, which I would prefer to clicking, and I don't render e-mail in HTML anyway)
9. once the link is visited, an alternate password is creating using a secure, properly designed and developed cryptographically strong password generation library
10. upon logging in with the new, cryptographically strong password, the old password is deactivated and can no longer be used for logging in
That system is not infallible, but it doesn't require weakening the concept of a password-based system (when such a system is already, inherently, an absurdly flawed and very primitive idea).
They may ask your mother's maiden name and your favourite food, but your response to those questions doesn't have to actually be the answer to those questions!
Pete Boyd
And the scene at The Bridge of Death:
I would have a big problem with that...
For sites demanding such info, check the tip from Agile Networks, makers of 1Password. It can be done via other solutions, free or paid too.
(of course, I can't find the tip on their blog)
The idea was, if site demands that question to be filled, you auto fill it with a random password generator. You can make the question to be auto generated password too.
For example:
Secret question: zal3ed2od6ja
Secret answer: yad5uth4yot4
So that stupid potential security breach becomes some sort of challenge/response additional security. Obviously you will need a form filler/extension or it could become major hassle if you lose it.
I hate stupid questions. I often fill the answer with some long, random crap and don't even try to remember it. I've rarely needed to use them anyway, and on some sites that get answers to those questions upon sign up, they don't even use them for password retrieval. In my experience, forgotten password forms generally just send you an email with your password without even asking the question.
By reading this signature, you hereby agree with the content of the above comment.
I lost my first Yahoo account like that...
I never managed to convince their support to give it back to me, while the profile still shows the url of the website I had back then.
The guy changed the question and some other details (zip, email?) and Yahoo kept asking for those details, not the original info... incompetent amateurs...
Before he changed the data I could take it back 1 time, but he took it back before I could do anything and changed everything... I had seen his email and mailed with him, he "collected" old accounts (with names that were not allowed anymore at that time, mine had an underscore) to use on Yahoo Games.
Now I try to use (and remember ;)) fake data for those questions...
Is this really news though? I mean, I've always been one to figure things out slowly, but even I realized when I signed up for my very first email account back when I was 14 that the answers to those questions was common knowledge to a rather large group of people. I've always used a variety of nonsense words for the answers (such as "tiggybup," or some other nonsense.)
The whole point of this method of password reset protection is that your preferences are not a matter public record or in any databases. Here, at this link in the article intro (http://www.blue-moon-authentication.com/) the nice people at Blue Moon offer to let you PUT YOUR PREFERENCES IN A DATABASE!!! Gah!!! People! Don't be fooled! It's sneaky...
Here's a Google tech talk on this subject (given by this Dr. Markus Jakobsson guy): http://www.youtube.com/watch?v=pypFzJmgPhg
You don't think enough... therefore you better not be!
Bruce Schneier already covered this, first in a 2005-02-11 entry in his blog, and again in a 2008-04-04 essay for ComputerWeekly.
I am absolutely not trying to compare myself to Bruce, but I recognized the weakness of security questions prior to his writings, when I was using his freeware PasswordSafe in 1997. (I've since moved to Keypass... not fucking plaintext Post-it Notes, FFS).
Like Bruce, I've always filled these Q&A fields with 64+ printable ASCII characters via PasswordSafe's/KeyPass's integrated CS-PRNG, which I do not record. When I can provide the question, even better. Two crazy-ass-long fields for an attacker to guess.
It should be obvious, no? A constrained set of questions (2-4 bits of entropy), each with a correspondingly constrained set of answers... ("First make of CAR???" You gotta be fucking kidding me... Why not be done with it, and offer 2kB dictionary downloads for brute-force attackers right on the Lost Password form?) Compare these constraints to a proper, lengthy CS-PRNG alphanumeric pass[word|phrase]... No contest.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
I really don't understand why anyone would use something like their actual Mothers maiden name to reply to the question "What is your mothers maiden name". It would take all of 30 seconds to get that sort of information from tha intarweb. Personally I use things that are stupid but memorable to me. i.e.
Q: "What is your mothers maiden name ?"
A: "An Electric Owl"
Q: "What was the make of your first car ?"
A: "Triple Bad Blackstuff"
Of course the problem you then get is that when you have to talk to the uninterested, underpaid support staff at the bank, they sometimes can't cope...
Them: "but that's not a real name"
Me: "That's the whole point".
Them: "I don't understand ?"
Now try using dates in the future for your birthday etc. and watch their system fall in a heap.
Both the questions and answers used in these systems should both be settable by yourself.
Sky subscribers are morons. They pay to be advertised at !
The answers to most typical Security questions can be found in the internet.
For example, your mother's maiden name is a matter of public record, as is the place you went to high school, usually (most people advertise this on their Facebook page or elsewhere, anyway).
Security questions only make it easier for someone to steal your identity. The whole point is that they're supposed to be questions that only YOU know the answer to, but that is seldom the case. I just treat these as I do any other password and make them random strings of characters and symbols.. it's the only safe way to do it.
People do insecure things. There is nothing wrong with the questions as they are now. I have a verification question somewhere that asks where my mother was born. I don't remember that crap and I'm not going to call her every time I have to get into that account. So...I lied and answered it with something I would remember. Hell, if your account is BankFoo you could just answer all of the questions "BankFoo" and not have to worry about someone getting the real information or you having to remember what you put.
This seems fairly non story.
The only change I can believe in is what I find in my couch cushions.
I realized this years ago, it seems like it should be common sense to me & I'm actually baffled that anyone actually enters information like that.
I never anticipated losing my password, so I always sign up for things with my REAL details and enter more random letters and numbers for the secret question than my password has in it.
Worst case scenario I have to call the place up and tell them the details I used to sign up with, sometimes I get lucky and can send a password reset email to myself.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
I don't know about anyone else but the answer to all of those questions is "Beer". Isn't it? Or is it "Free, as in Beer"?
While passwords-on-stickies is never a "good" idea, if you are fortunate enough to work in an environment where everyone is trustworthy and nobody snoops around looking for passwords and outsiders aren't allowed in the work area, then this isn't a problem.
If you have employees who aren't trustworthy, you've got a much bigger problem.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
As far as the bank (and most country's laws) is concerned, when your account is accessed using the security checks (question/answers) you instructed them to accept YOU DID IT. So you can claim all you want that someone hacked your account but they've got solid reason to believe that you did something you've now come to regret. TS.
A bank is only interested in providing better security for online account access to the degree that it gets you to use the cheaper-for-the-bank online account tools instead of an expensive teller or ATM. That's why chip-and-pin solutions were deployed in the UK and Europe after slow Point-Of-Sale adoption by consumers there relative to the US (which still hasn't received them).
Its also why the Treasury Department upgraded online access controls (http://www.treasurydirect.gov/indiv/help/TDTutorial/tutorial.htm/) for the "TreasuryDirect" accounts (which cost the Treasury Department less to administer than their older "Legacy TreasuryDirect" accounts) after the inital deployment saw such low uptake/conversion rates.
I've conned many a friend and family member into thinking I had Jedi powers, back when Hotmail used to ask "What is your zipcode?" as an option to allow access to an account in the event of a lost pass.
I am Bennett Haselton! I am Bennett Haselton!
As we all know, any single password used across multiple sites is terribly insecure. In a way, that response, 'Judy Garland', is less secure; it may be counterintuitive to someone guessing your password, but once they have that key, they have all your keys.
Worse, arbitrary selections for your responses means that if you ever do change it for security reasons, you're not guaranteed to remember it. For this reason biometric or, as suggested in TFA, cognitive-metric information is useful because it's likely to be unique, hard to guess, varied and hard to 'forget'.
[Ego]out
This is perfect: after your users indicate their preferences/interests, you have a set of psychographic data linked to their login and online behavior and you can deliver targeted ads! Modern Metrix blog: mmx.typepad.com
A major financial regulator has a mainframe.
Its users forget their passwords.
To get a new one, they need to verify their identity with this type of lame data that anyone can find online, especially if the employee has a blog or a facebook page. Even references to the time someone started at a company are easy to find (look for blog posts that read "this month marked my 14th year with [regulatory agency]").
It's just stupid. They're waiting for a hack.
"If you can't trust your people you've got problems", said the network cracker.
Do you guys provide the real answers to these questions!? Sure, have a stand set, but make it up. For instance, I have a pet name, but no pet.
By googling his email I was able to determine which college he went to and worked at the radio station. He also had a facebook that listed his home town.
I attempted to log in to his email account (Yahoo!) and tried to do a password reminder. It asked me what his high school mascot was. There was only two high schools in his town and I made a guess. I was right.
I then had access to his account and all it took was a little googling and an educated guess. Password reminders are the devil. Luckily I was nice enough to do nothing with it.
said the network cracker's ex-boss as his just-terminated former employee was being escorted out of the building, in handcuffs.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
do people use their *actual mother's* maiden name for that stuff? it never crossed my mind that they might -- but of course computers know everything, and it won't *work* if you use a fake name. right?
The "What is your dream job?" question reminds me of a question asked by the lender of my student loans. There's something a little disturbing about someone that you owe vast sums of money to asking what your greatest fear is!
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
When answering the questions to authenticate yourself, they happen to go in a yes, no, yes, no... order. That's pretty dumb.
And if they've made such a silly decision like that straight out of the gate, I wonder where else they're making decisions that are RFD (really fucking dumb)?
Use something no other human could possibly know... Your penis size. :)
Store all your passwords/usernames/questions in an excel file that is in an encrypted truecrypt [www.truecrypt.org] volume. Use opera [www.opera.com] as web browser and wand [ctrl+enter] (no typing) all paswords so keyloggers cant pick up answers/entries. And yes truecrypt volumes have passwords so don't forget it. (the password to all your passwords) Most /.ers problaly could figure out how to use truecrypt.
Here is one way to get a good password.Go to the library and find a book copy one or more pages use the word's on that page/page's and change what you like or don't like down to a single letter in differance from the original script and change it once a week or something like that.of course once you tell your girl friend or wife it's all over it would be like cheating!
There's another issue I'm not seeing addressed here that is problematic with many sites is that they ask too many personal questions, often times for no good (legitimate) purpose (though perhaps not maliciously). Often they ask (at various points, registration, age verification, purchase, etc) for your name, address w/zip code, age (birth date), mother's maiden name, etc. And if making a purchase will then typically get credit card info, 3-digit "security" number on back, name as it appears on card, possibly additional address(es) if billing and/or shipping addresses are different, phone numbers, possibly even enough to figure out where you work if the number can be reversed, and lots more. And the situation can be magnified / expanded if the site owner has multiple web sites that you frequent or belongs to some sort of merchant association (or hacker association) that shares the info amongst its "affiliates".
The very real concern is that through "routine operations", many (most?) sites collect enough information about you to quickly and fairly easily "become you", i.e. perpetrate an identity fraud. Many if not most of the questions and information requested via typical account registration and age verification are the fundamentals needed to establish an identity. The mother's maiden name is in many cases the icing on the cake. All they're missing is the social security number which many people either mistakenly use or freely (unwittingly) give out without realizing its potential security ramifications. (Although that specific danger is becoming more widely known and people are generally taking more precautions with their SSN's).
Then when you stop to realize that MANY retailers, including major card issuers and merchant processors, have been HACKED and ACCOUNT DATA STOLEN-- there have been reported cases of HUNDREDS OF MILLIONS of credit card information stolen-- what exactly gets stolen, just the card number? Not likely. Probably all the rest of that information the site has collected about you as well, they (the news reporters and press releases) just don't go out of their way to point that out. The most recent one that I recall was a few weeks ago that the parent of TJMAXX (and all its various subsidiaries), Circuit City, etc was hacked and reportedly lost over 40 Million credit card account entries. And I seem to recollect that this was NOT the FIRST TIME this has ever happened to them-- my feeble neurons think they remember a previously reported event a year or two ago involving the SAME RETAILERS in which it was discovered they were using UNENCRYPTED WIFI to transport sensitive account and credit card data to centralized (in-store) collection points. And that it is (was) possible to simply drive up in the parking lot with laptop and favorite pringles-can antenna and pick off the data w/o hardly a thought towards getting caught. Card issuers thump their chests about all their doing to prevent fraud and theft, and point out the consumer is off the hook for purchases over $50 bucks, yada yada yada-- but what they don't tell you is that they don't do shit if your INFORMATION is stolen and you are harmed via IDENTITY THEFT.
Then there's CAPTCHAS... I have read several articles (don't have a handy citation, try google) claiming that nefarious folks are gaming them too. By putting up seemingly innocuous sites, often "free porn/game/whatever" sites, and then making the people who use them answer a "security / CAPTCHA" question which is really a copy of some other site's (i.e., a site they have nefarious interest in) CAPTCHA images, or more recently just individual letters extracted from those images. That way they get free brainpower in solving them. They then use the answers to create databases of image/answers which they can use to further their nefarious goals.
You have forgotten your password, please check the following preferences.
Do you like porn? Like Dislike
Thank you... you have been uniquely identified
as a customer in our database your "pornacopia"
password has been sent.
Ross Youngblood