Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Resets Worse Than Reusing Old password

Posted by samzenpus on from the one-password-when-you're-born dept.

narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"

4 of 420 comments (clear)

  1. American Express... by roc97007 · · Score: 4, Informative

    ...wouldn't activate my card until I created a pin. They wanted me to use the month and day of my mother's birthday. I tried random digits, but -- fer chrissake -- the menu system would only take digits that were valid dates.

    Yeah, that's what I want to use for a card with no spending limit, a datum easily discovered through public records.

    I finally got hold of a real person, and he insisted I use my mother's birthday. I insisted that I would not. He finally had to get permission from a supervisor for me to use a random four digit string.

    I understand, insisting on an easily remembered string probably reduces the number of support calls to reset pins, but at what cost?

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  2. Lie by John+Hasler · · Score: 4, Informative

    > The city you grew up in and your mother's maiden name can be derived from public records.

    I grew up in Wei9Iequ. My mother's maiden name was ga4EeliY.

    Or, if you insist on something easier to remember, make it Tanelorn and Gloriana.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  3. Alastair Rankine posted an excellent analysis by toby · · Score: 3, Informative

    See How NOT to use 'secret questions' about the bad authentication design of an Australian government web site.

    --
    you had me at #!
  4. hashapass.com by robonasty · · Score: 3, Informative

    I use this to generate passwords. Since one master password yields different outputs for each parameter (i.e. slashdot, hotmail) I'm confident I won't forget a password, so I'm safe typing gibberish into the question fields.

    --
    Support the FairTax