Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Resets Worse Than Reusing Old password

Posted by samzenpus on from the one-password-when-you're-born dept.

narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"

8 of 420 comments (clear)

  1. Re:I NEVER use these fields by ednopantz · · Score: 2, Informative

    How do you keep track of all the different passwords of all the different websites which you sign into?

    Use keypass or another key storage system.

    Now, if it had an automagical firefox plugin that would let me create a strong password for a site and store it in my key database, that would rock.

  2. American Express... by roc97007 · · Score: 4, Informative

    ...wouldn't activate my card until I created a pin. They wanted me to use the month and day of my mother's birthday. I tried random digits, but -- fer chrissake -- the menu system would only take digits that were valid dates.

    Yeah, that's what I want to use for a card with no spending limit, a datum easily discovered through public records.

    I finally got hold of a real person, and he insisted I use my mother's birthday. I insisted that I would not. He finally had to get permission from a supervisor for me to use a random four digit string.

    I understand, insisting on an easily remembered string probably reduces the number of support calls to reset pins, but at what cost?

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  3. Lie by John+Hasler · · Score: 4, Informative

    > The city you grew up in and your mother's maiden name can be derived from public records.

    I grew up in Wei9Iequ. My mother's maiden name was ga4EeliY.

    Or, if you insist on something easier to remember, make it Tanelorn and Gloriana.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  4. Alastair Rankine posted an excellent analysis by toby · · Score: 3, Informative

    See How NOT to use 'secret questions' about the bad authentication design of an Australian government web site.

    --
    you had me at #!
  5. Yes, my preferences are stable by tauntalum · · Score: 2, Informative

    And they're set to disable scripting.

  6. The company's statement and original article by mothrsuperior · · Score: 2, Informative

    http://www.ravenwhite.com/iforgotmypassword.html

  7. hashapass.com by robonasty · · Score: 3, Informative

    I use this to generate passwords. Since one master password yields different outputs for each parameter (i.e. slashdot, hotmail) I'm confident I won't forget a password, so I'm safe typing gibberish into the question fields.

    --
    Support the FairTax
  8. Roll Your Own Questions by Bieeanda · · Score: 2, Informative
    The bank I deal with skips the easily-guessed questions and lets you set your own. On that site, and the sadly few others I've encountered that do the same, I either note in the question that the answer is case sensitive, or remember to put the original answer in lowercase.

    It really helps if you're not being a 'clever' smartass-- references to the cultural canon like 'What is the Answer to Life, the Universe, and Everything' or 'To Be, or Not to Be' are going to be guessed by a passing hacker faster than 'Who was the last person to sleep with my mom?' (Answer: me).