Slashdot Mirror
Password Resets Worse Than Reusing Old password
narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"
Even worse is that some of those system are freagin picky too.
You may know the answer. But it may be case sensitive, and fairly picky. "Whats your favorite food". Is it Curry, curry, curry chicken, Curry Chicken, chicken, Chicken?
I got locked out of my bank account because of that BS once (it wasn't a password reset though, it was a 2 step authentication, so it asked that on TOP of the password)
Just a question: How do you keep track of all the different passwords of all the different websites which you sign into?
Its = possessive. It's = "it is"
I was surprised recently when my back asked for all this type of information (i.e. childhood friend, first school), but didn't have me confirm a single field. There was just a single text field for each question. God help me if I fat-fingered one of the answers. Was my first school All City Elementary...or All City Elemntary? OH CARP!
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Is this really that much of a security issue? The new password is sent to your registered e-mail address, and only if you log in with the new password will your old password be changed. Otherwise, your password remains unchanged. So, unless the e-mail is sniffed in transit, or your e-mail account has been hacked, this shouldn't be an issue.
The only set of questions that are any good are the set that you can make up yourself. At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'
They never tell you whether spaces count or not. I would like a password reset that involved two network methods: Okay, I change it, but it doesn't count until I send a text message from my phone too, or something like that. Verification via email is good, but off-net authentication would be better. I wouldn't even mind that kind of authentication for access on a regular basis, say if my account is accessed by a pc that either does not have a cookie already or that is not used normally to access my account. Picture or background validation is also good against phishing, but let me upload my own pic? please? No matter how random I make the pic, it will always be something I know, and can update regularly. I mean, what's better than a simple text graphic for background that simply says "fuck W" or some other phrase you will remember?
Security could be much simpler than it is, much better than it is. There seems to be no inspiration to implement it. That second network usage is invaluable. Give me a screen to pick one of several options (configured in preferences) such as cell, landline, SMS message, pager etc. I pick (and provide phone number) and you send the one-time authentication code that is in addition to my normal login credentials. It's easy really.
The same authentication security can be used for password resets. Send a temp password to pre-authorized off-net device or address, or let me set the new temp password via telephone etc. It really isn't that difficult.
Support NYCountryLawyer RIAA vs People
I had to be clubbed on the head to realize this obvious universal truth:
The answer to your "secret question" doesn't have to have anything to do with the stated question.
I got upset at my bank because they only had four questions they'd let me use. Oldest sibling's name. (only child?) First pet. (which one?) Town you grew up in? (which one?) favorite color (don't have one). The really crazy part is these were ALL questions. The bank will randomly challenge me with one of those questions.
After yet another challenge lockout, the rep kindly informed me to just treat the secret questions just like another password field, and put in whatever else you'd like for another password. I could even use the same answer for all the questions.
d'oh. That's easier simpler it looks.
It gets better. The "random" nature of the challenges was bugging me. The rep then said do you want to just make it ALWAYS challenge you? do it! Much better. I need consistency more than the random chance things are simpler. It always sends me looking for my password list when a forum or something I normally visit daily I miss for a few days and it logs me out. Having to enter the password for something every time you use it, and having to use it frequently, is much better for memorizing these things.
I work for the Department of Redundancy Department.
I would think it would be easier to find out my preferences from looking at my Facebook page than it would be to determine my mother's maiden name, best friend's name or what my first car was - you won't find any of that information spelled out clearly on facebook, but you would be able to look at my "Interests" to see what type of music, tv or foods I liked or view my pictures and see plenty of photos of me in art galleries and raves, but none at sporting events, for example.
Plus, as everyone knows, a multiple choice test is much easier to pass by answering randomly than a something where you have to fill in the blanks.
The opinions in this post are ficticious. Any similarity to actual opinions, real or imagined, is purely coincidental.
My wife's business website was routed to a porn site for three days a couple years ago. They transferred the domain from her account to their own account with another registrar, and pointed it to their own DNS servers.
They accessed her account by, you guessed it, compromising her primary email account using the "secret questions". As it turns out, the perpetrators knew all the right answers, because they were her ex-husband and his apparently-vindictive second wife.
They had unfettered access to her email account for over a year while they plotted this bit of nastiness. Such activity is a felony where we come from, but they moved out of the country before charges could be pressed.
Needless to say, my wife uses a bogus set of "secret" answers that even I don't know. Not that she's not trusting or anything... ;-)
Ask your doctor if getting up off your ass is right for you! -- Bill Maher
I use them all the time. And I fill them out with information of a fictional character.
Say, I'll put my name as Bilbo Baggains (actually using Brado Bompkins or something similar) and my hometown as "The Shire" and "bacon" as my favorite food. This lets me use unique information and track it. So if a site emails me and says "Hey Bilbo, you just won a new car!" I can tell you who exactly sold my email address.
-- Political fascism requires a Fuhrer.
Neither password reuse nor password reset questions are as bad as passwords that expire.
Seriously, everybody knows you pick one password then increment the number on the end. To make matters worse, companies will often shove network drives down your throat via the domain policy, that, once your password changes, lock you out of everything. Security through inconvenience of your authorized users. Great!
Question everything
you can use throw away or unassociated voice mail services like http://www.voicenation.com/ if you wanted, or a phone at the library if needed etc. The point is that being able to use POTS lines is important for many people still, and it is off-net. I agree with your sentiment though.
Support NYCountryLawyer RIAA vs People
Actually, now that I think about it, there's no reason that there has to be any logical or rational connection between the question and answer, just as long as you remember what it is. I mean, is anybody at your bank going to complain if your answer to the question, "What city did you grow up in?" is, "Judy Garland," and if so, why?
Dang. Busted.
This is one of my fave tricks. I have a standard set of answers to match those questions, and as you indicated, they have NOTHING to do with the question. Simple, basic, and with multiple possible answers per question, I just try the first, then second if the first doesn't work, etc....
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
My SO entered bogus info when she signed up for a Yahoo email account many years ago. She never deleted anything from it and had literally thousands of messages in it, some unread, some with financial info, and some with enormous sentimental value (such as email and voicemail from her late brother).
All well and good until the website timed-out when she went to change the password. Suddenly neither the new password nor the old one would work. The only way Yahoo would let her back into her account was if she could answer some of the info she filled in with junk many moons before. She still has no recourse to get back in six months later.
It's all well and good to be paranoid and enter bogus info when you sign up for a free website, but you might want to consider that if you don't store a record of it, you might get locked out of your own account forever.