Password Resets Worse Than Reusing Old password

narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"

Even worse...

[Shados]

Even worse is that some of those system are freagin picky too.

You may know the answer. But it may be case sensitive, and fairly picky. "Whats your favorite food". Is it Curry, curry, curry chicken, Curry Chicken, chicken, Chicken?

I got locked out of my bank account because of that BS once (it wasn't a password reset though, it was a 2 step authentication, so it asked that on TOP of the password)

Re:I NEVER use these fields

[strabes]

Just a question: How do you keep track of all the different passwords of all the different websites which you sign into?

Oh, and make sure you don't confirm

[Itninja]

I was surprised recently when my back asked for all this type of information (i.e. childhood friend, first school), but didn't have me confirm a single field. There was just a single text field for each question. God help me if I fat-fingered one of the answers. Was my first school All City Elementary...or All City Elemntary? OH CARP!

Re:Are there any good solutions?

[zappepcs]

The only set of questions that are any good are the set that you can make up yourself. At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'

They never tell you whether spaces count or not. I would like a password reset that involved two network methods: Okay, I change it, but it doesn't count until I send a text message from my phone too, or something like that. Verification via email is good, but off-net authentication would be better. I wouldn't even mind that kind of authentication for access on a regular basis, say if my account is accessed by a pc that either does not have a cookie already or that is not used normally to access my account. Picture or background validation is also good against phishing, but let me upload my own pic? please? No matter how random I make the pic, it will always be something I know, and can update regularly. I mean, what's better than a simple text graphic for background that simply says "fuck W" or some other phrase you will remember?

Security could be much simpler than it is, much better than it is. There seems to be no inspiration to implement it. That second network usage is invaluable. Give me a screen to pick one of several options (configured in preferences) such as cell, landline, SMS message, pager etc. I pick (and provide phone number) and you send the one-time authentication code that is in addition to my normal login credentials. It's easy really.

The same authentication security can be used for password resets. Send a temp password to pre-authorized off-net device or address, or let me set the new temp password via telephone etc. It really isn't that difficult.

very easy fix for this

[v1]

I had to be clubbed on the head to realize this obvious universal truth:

The answer to your "secret question" doesn't have to have anything to do with the stated question.

I got upset at my bank because they only had four questions they'd let me use. Oldest sibling's name. (only child?) First pet. (which one?) Town you grew up in? (which one?) favorite color (don't have one). The really crazy part is these were ALL questions. The bank will randomly challenge me with one of those questions.

After yet another challenge lockout, the rep kindly informed me to just treat the secret questions just like another password field, and put in whatever else you'd like for another password. I could even use the same answer for all the questions.

d'oh. That's easier simpler it looks.

It gets better. The "random" nature of the challenges was bugging me. The rep then said do you want to just make it ALWAYS challenge you? do it! Much better. I need consistency more than the random chance things are simpler. It always sends me looking for my password list when a forum or something I normally visit daily I miss for a few days and it logs me out. Having to enter the password for something every time you use it, and having to use it frequently, is much better for memorizing these things.

Not just your email, either...

[EWillieL]

My wife's business website was routed to a porn site for three days a couple years ago. They transferred the domain from her account to their own account with another registrar, and pointed it to their own DNS servers.

They accessed her account by, you guessed it, compromising her primary email account using the "secret questions". As it turns out, the perpetrators knew all the right answers, because they were her ex-husband and his apparently-vindictive second wife.

They had unfettered access to her email account for over a year while they plotted this bit of nastiness. Such activity is a felony where we come from, but they moved out of the country before charges could be pressed.

Needless to say, my wife uses a bogus set of "secret" answers that even I don't know. Not that she's not trusting or anything... ;-)