Slashdot Mirror
Password Resets Worse Than Reusing Old password
narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"
'The city you grew up in and your mother's maiden name can be derived from public records.'
I don't know if you can find the city that you grew up in in public records, but I know that in Minnesota, I can get anybody that get your name, date of birth, place of birth, mother's maiden name, father's name from just a few clicks on the 'puter. (for free)
Many folks put other personal details on their blogs or other places online and it doesn't take much to find quite a bit about their personal lives. Add that with just a touch of social engineering, you can get a bunch of data about your target.
Even if the questions are secure, many times the mode of delivery/reminder is not. I don't know how many times I have had to reset/get a password renewed by asking all those stupid questions on a secure web page just to have them resend a password free text to my yahoo account. These aren't important sites to me, but I still wouldn't want anybody snatching this data.
This preference method has flaws too. I change my preferences often. So it may has some good points, it looks rather like a marketing gimmick to me. How long would it take for your likes and dislikes to be sold to the spammers?
Even worse is that some of those system are freagin picky too.
You may know the answer. But it may be case sensitive, and fairly picky. "Whats your favorite food". Is it Curry, curry, curry chicken, Curry Chicken, chicken, Chicken?
I got locked out of my bank account because of that BS once (it wasn't a password reset though, it was a 2 step authentication, so it asked that on TOP of the password)
Fooled them. My first car was a Chevy!
Bridgekeeper: Stop. What is your name?
Galahad: Sir Galahad of Camelot.
Bridgekeeper: What is your quest?
Galahad: I seek the Grail.
Bridgekeeper: What is your favourite colour?
Galahad: Blue. No, yel...
I am the richest astronaut ever to win the superbowl.
I just use the current month and then the year.
For every web site that asks for a password I randomly generate one.
If they have the audacity to ask for personal information, I randomly generate that data too. What frustrates me is that now I have to store a series of name-value pairs - because some of these web sites insist on randomly asking me to confirm my identity on occasion with these profile questions.
What frustrates me even more is that most people are stupid enough to give random / anonymous web sites such personal info.. What if one of the questions was 'what is your VIN? What's your SSN'??? Would people ignorantly post that data too??
If the website requires a credit card, use this information for credentialling. If it's a community web site, use email responses - if the email is hijacked, the owner should be able to see the flood of change-password emails. I never understood the value-add of such personal-info bio-metric questions.
My bank uses a PIN in additional to the login. This actually makes sense to me - as PINs are generally easier to remember than my 10 digits random char-lists, but moreover it's at least honest about the purpose of these extra fields - and doesn't dupe people into leaving their pants down when the DB gets hacked one day.
-Michael
Especially for those who have their mother's maiden name as either a middle name or part of a hyphenated last name.
One man's -1 Flamebait is another man's +5 Funny.
I recently bought a domain+hosting space from a well known site, one that I don't ever recall buying domains from in the past (even searched through years worth of emails - nothing), and when signing up for a new account I was unexpectedly greeted with "that email address is already in use".
So I did went to the password retreival page, entered in my email address and it asked me the stupidest hint question (for me) ever: "What was the make of your first car?", it didn't make sense at all because I still haven't bought my first car!
To do something right, you often have to roll up your sleeves and get busy.
My mother's maiden name was 12345
Many websites allow you to use your own question, rather than a preset one. "What is the movie you'd most relate to your high school career?"
"What was the name of craziest teacher you had?"
Better yet, "On Tuesday mornings, which newspaper did you always use to cut out little robot people?"
Comment removed based on user account deletion
It's pretty hard for a virus to read what's beneath the desk. Not impossible if the virus can control your employer's security cameras, but difficult.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
...you insensitive clod?
Just lie on these questions! Put in answers you would know, but aren't factually correct.. =)
Simple solution..
-Myke
These things are generally used for very low-security applications. My bank doesn't use them, stock trading sites don't use them, etc. And in many cases it would still be hard for a bad guy to take over your account this way. For instance, they may send you an email every time the password recovery feature is used on your account. A well designed site won't actually let you recover your old password, it will generate a link with a hash code in it that allows you to pick a new one; so the bad guy can't find out what your password used to be (which would be especially scary if you were in the habit of using the same password for lots of things), and if it's an account that you use frequently, you'll also find out quickly that something is wrong, because your password will no longer work. And I would guess they also have a limited number of times you can guess your dog's name wrong. But okay, suppose someone manages to get access to my amazon.com account this way. Is it really that horrible? I suppose they can set up a new shipping address, order some CDs, and have them sent there. So I just turn around and call my credit card company, and they reverse all the charges.
The typical slashdot user is really into using high-tech toys in sophisticated ways, but for the average person there really are severe usability issues with maintaining login and password combos, and these "what was your first pet's name" questions are a a not entirely unreasonable attempt to make things easier for that type of user. My mother in law visited us recently for a few weeks. She's had a history of dysfunctional relationships with her Windows machines (viruses, etc.), so I got her started on Linux. Her main application is that she plays an online scrabble game (not the famous facebook one). She'd been unable to use her virus-infested computer for a long time, so it had been a long time since she'd been able to play scrabble. I got her set up on a spare linux box in the family room, and the very first thing she wanted to do was get scrabble working. Well, she just couldn't remember her username and password for this server. Tried a bunch of things, no luck. She was bummed out, too, because she'd had a high rating, and creating a new account with a zero rating meant it would be hard for her to get games. It would have been a lot better, from her point of view, if she'd been able to tell them her dog's name and recover her password. Who the heck cares if it leaves her vulnerable to having her scrabble account taken over by evil Russian hackers with handlebar moustaches?
All of this might seem ridiculously easy to handle to us, but I could easily imagine myself having the same problem 10-15 years ago. It's not obvious to her how her email is nested inside her yahoo account, her yahoo account is inside her browser, and her browser is inside her OS. It's not obvious to her that the username and password she uses on yahoo are different from the ones she uses to log in to her linux account.
Find free books.
Exactly how excellent is your memory, then? This kind of corner-case made me reconsider best-practices password security.
Yes, it is available through public record. But that isn't enough! What if your siblings like to play pranks on you, or if your mother is trying to get you to move out of your basement?
How do I protect myself from THEM?!
I was surprised recently when my back asked for all this type of information (i.e. childhood friend, first school), but didn't have me confirm a single field. There was just a single text field for each question. God help me if I fat-fingered one of the answers. Was my first school All City Elementary...or All City Elemntary? OH CARP!
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Is this really that much of a security issue? The new password is sent to your registered e-mail address, and only if you log in with the new password will your old password be changed. Otherwise, your password remains unchanged. So, unless the e-mail is sniffed in transit, or your e-mail account has been hacked, this shouldn't be an issue.
Seriously, I do reuse passwords -- I use the same pw for low-security sites (message boards, excluding slashdot), but increasingly obscure unique ones for more highly secure sites and uses.
My favorite pw creation scheme is to take a sentence that's easy to remember a la "I grew up in Boston, Mass, 02120," from which I derive IgUiBm)2!2), which is a fairly secure pw -- it's easier to remember a sentence than it is single complex word (at least for me).
Dude, I think I can see my house from here.
Yeah, that's what I want to use for a card with no spending limit, a datum easily discovered through public records.
I finally got hold of a real person, and he insisted I use my mother's birthday. I insisted that I would not. He finally had to get permission from a supervisor for me to use a random four digit string.
I understand, insisting on an easily remembered string probably reduces the number of support calls to reset pins, but at what cost?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
I had to be clubbed on the head to realize this obvious universal truth:
The answer to your "secret question" doesn't have to have anything to do with the stated question.
I got upset at my bank because they only had four questions they'd let me use. Oldest sibling's name. (only child?) First pet. (which one?) Town you grew up in? (which one?) favorite color (don't have one). The really crazy part is these were ALL questions. The bank will randomly challenge me with one of those questions.
After yet another challenge lockout, the rep kindly informed me to just treat the secret questions just like another password field, and put in whatever else you'd like for another password. I could even use the same answer for all the questions.
d'oh. That's easier simpler it looks.
It gets better. The "random" nature of the challenges was bugging me. The rep then said do you want to just make it ALWAYS challenge you? do it! Much better. I need consistency more than the random chance things are simpler. It always sends me looking for my password list when a forum or something I normally visit daily I miss for a few days and it logs me out. Having to enter the password for something every time you use it, and having to use it frequently, is much better for memorizing these things.
I work for the Department of Redundancy Department.
I would think it would be easier to find out my preferences from looking at my Facebook page than it would be to determine my mother's maiden name, best friend's name or what my first car was - you won't find any of that information spelled out clearly on facebook, but you would be able to look at my "Interests" to see what type of music, tv or foods I liked or view my pictures and see plenty of photos of me in art galleries and raves, but none at sporting events, for example.
Plus, as everyone knows, a multiple choice test is much easier to pass by answering randomly than a something where you have to fill in the blanks.
The opinions in this post are ficticious. Any similarity to actual opinions, real or imagined, is purely coincidental.
I suppose they could, but they'd be able to do the same thing if I used consistent "real" information in those fields too ... and at the end of the day I guess I just have to hope that I'm simply not that interesting of a target.
If libertarians are so opposed to effective government, why don't they all move to Somalia?
> The city you grew up in and your mother's maiden name can be derived from public records.
I grew up in Wei9Iequ. My mother's maiden name was ga4EeliY.
Or, if you insist on something easier to remember, make it Tanelorn and Gloriana.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
My wife's business website was routed to a porn site for three days a couple years ago. They transferred the domain from her account to their own account with another registrar, and pointed it to their own DNS servers.
They accessed her account by, you guessed it, compromising her primary email account using the "secret questions". As it turns out, the perpetrators knew all the right answers, because they were her ex-husband and his apparently-vindictive second wife.
They had unfettered access to her email account for over a year while they plotted this bit of nastiness. Such activity is a felony where we come from, but they moved out of the country before charges could be pressed.
Needless to say, my wife uses a bogus set of "secret" answers that even I don't know. Not that she's not trusting or anything... ;-)
Ask your doctor if getting up off your ass is right for you! -- Bill Maher
I'm with you. As far as these security bots are concerned, my mother's maiden name was sodoff. I imagine people just think she was Russian & not that I'm cursing at the stupid question. :D
If you are able to remember random fake answers to questions, then you probably aren't going to be the type who needs to reset your password. Resetting your password is only something that matters if you have trouble remembering random secure things anyway. You basically just have two passwords now, either of which can open your account (which may or may not be all you are looking for).
See How NOT to use 'secret questions' about the bad authentication design of an Australian government web site.
you had me at #!
Couldnt login! Was trying to login to the wrong username (who shared my name), and the guys secret question was "lager?". Of course the answer was "yes". :/
That probably makes me guilty of all kinds of nasty shit by accident :P
3laws: No freebies, no backsies, GTFO.
And they're set to disable scripting.
Neither password reuse nor password reset questions are as bad as passwords that expire.
Seriously, everybody knows you pick one password then increment the number on the end. To make matters worse, companies will often shove network drives down your throat via the domain policy, that, once your password changes, lock you out of everything. Security through inconvenience of your authorized users. Great!
Question everything
http://www.ravenwhite.com/iforgotmypassword.html
That the perception does not match reality is of lesser consequence for the site admin.
Engineering is the art of compromise.
Two other related problems:
1) Browsers remembering passwords for you. Because of speed-dial, I don't know my girlfriend's cell number. Same concept applies. Everything works fine until you have to reinstall the OS then you're foosed.
2) Frequent mandatory password changes with strict requirements. Just how many random alpha-numeric sequences can the average person remember? Naturally people write these passwords down somewhere near their computer and voila: Password is next to useless. If someone breaks into the office, chances are good at least one of the employees has a password in their desk.
I never use the city of where I grew up or my mothers maiden name but something made-up or similar. For example, if I grew up in Minneapolis in my system I'd put Miniapple or something stupid that I could remember. Putting a city you wish you grew up in would work also. Something that is totally fake but that you will remember. For my mother's maiden name I use something similar to my grandmothers middle name. As I've been doing this consistently for years I feel relatively secure but unless I suddenly develop amnesia I can recover my forgotten passwords using this made up information. You could easily just say your mothers maiden name was "Banana" or something nonsensical so long as you used that all the time in order to remember you'd used it.
A friend of mine used to generate passwords by coming up with a work, and interleaving it with a number. So, let's say you have the word house, and the number 12345, which are both brutually easy to guess passwords, and when you combine them you get h1o2u3s4e5. Which would probably be a pretty secure password. Mix in a couple of shift keys, and you end up with h1O@u3S$e5, which is probably even less likely to be broken by any dictionary attach. Now in reality you would choose words and numbers that are even less common, so you'd end up with a really secure password. The really nice thing about this trick, is that, in most GUI based logins, you can just type the word part of your password (house), and then move the cursor back to the second character, and type each character from the number, followed by pressing the right arrow key. So you actually get a nice password, that's easy to remember, and easy to type.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
...but my password is always ); DROP TABLE user_accounts;
The game.
I use this to generate passwords. Since one master password yields different outputs for each parameter (i.e. slashdot, hotmail) I'm confident I won't forget a password, so I'm safe typing gibberish into the question fields.
Support the FairTax
I've got a great work around.
In fields like "Mother's maiden name:", just enter "mothersmaidenname".
Not derivable from any of your public records, and nobody would ever guess it.
Try it.
Support the FairTax
E-mail'ed passwords aren't panacea either. People leave their non-SSL e-mail clients connected all the time on wireless, for instance.
The idea is that you do all of your password reset online. The quality of this system varies widely, and by widely I mean almost all of them are on the "crap" side. So, if you want to get somebody's account, you force three bad logins and answer what the name of their pet dog is, and defeat their 20-digit alphanumeric pasword. I kid, but only half.
There are plenty of researchers who have come up with better systems that are much harder to defeat, but all web-only systems have some weaknesses. I have one site that uses PIN codes via SMS as an alternate channel. Shocker, right, good systems use multiple paths to make compromise harder?
Most implementers only care about security theatre, however, and they don't bear the cost of their shoddy workmanship, so things aren't likely to change.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Some woman giving a 401K presentation at my work was talking about their website and how they have the question/answer fall back for when you forget your password. She said not to use a question with a simple, possibly well known answer like "What's your favorite color?" I piped up with my answer, "Fish!"
The point is, just because the question is constant, the answer doesn't have to be, it can basically be a second password.
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
Pfft. I just list all my account details for websites in a CSV file, then upload it to BitTorrent as "18 yr old bj porn xxx strip". That way, I'll always be able to download it.
I haven't seen very many of these lately, but some while ago there were a bunch of those online memes like "What's your pornstar name?", "What's your rapper name?", etc., where you put in stuff like the name of your first pet and the street you grew up on into a form to come up with the screen name you should use as a pornstar or something. On occasion there's some CGI code that produces a somewhat-randomized answer using your input as the seed. The intent is for you to cut-n-paste the sometimes-humorous answer into your LiveJournal or Facebook or MySpace for your friends to giggle at and possibly follow up with answers of their own.
Have you ever noticed that many of the questions those things ask you are the same things that websites use for "secret questions"?
repost of comment: 'passwords are bad use asymmetric keys' on Tuesday August 12, @08:07AM (#24566319)
the copy-paste, then the amendment:
The solution to authentication is something like the IronKey (a hardened USB drive for storing passwords) but with asymmetric crypto.
So you would go to Gmail, gmail would send a challenge that goes to the browser. A library on your browser would send the challenge to the USB device. The USB device would respond by signing the challenge asymmetrically, and that signature would route back through the browser to Gmail. Then you have 1 authenticated session until you destroy it. For sake of convenience imagine the implementation as using PGP -- public key, private key. Gmail has the public key, your USB device has the private key.
This is great since you could read your webmail on a friend's computer, or post Slashdot comments without leaving behind a persistent authentication token (barring a fake logout screen). Or there could be a keylogger on your home computer but it wouldn't be able to scrape persistent passwords and pass those on.
The only reason that humans don't use asymmetric security is that we're too stupid. Otherwise if we wanted high security we would be looking at screens of cyphertext and reversing the one-way function (a^b=c) in our heads. Given that we're too dumb, why not do not put our authenticator on a device that goes on a keychain with our other keys? (And you could make a backup just like with your other keys.)
[...]
-- amendment --
- no I'm not talking about a simple USB drive. That's why the IronKey is dumb since a rooted PC could mirror it.
- the usb device could have all sorts of fancy stuff like LED screen or PIN, i.e. it's not just a flashdrive as I said, it does public-private key crypto -- you can't read all its private data by plugging it in. the point is to get support for asymmetric authentication and allow the free market to provide the level of extra nuisance consumers want.
- 90% don't want this, which is good, happy for them, I'm part of the 10%. So the legacy symmetric password support wouldn't go away and the 10% who want asymmetric passwords on a hardened low complexity (complexity is the enemy of security -- that's why your PC is as leaky as a sieve) device would have that option.
- i like bullet points
- proof-of-concept on a smartphone might be helpful.
If you need text styles to communicate then you don't have a message.
It really helps if you're not being a 'clever' smartass-- references to the cultural canon like 'What is the Answer to Life, the Universe, and Everything' or 'To Be, or Not to Be' are going to be guessed by a passing hacker faster than 'Who was the last person to sleep with my mom?' (Answer: me).
Is your hometown, by any chance, Quahog RI?
Seriously, I do reuse passwords -- I use the same pw for low-security sites (message boards, excluding slashdot)[...]
Why do you exclude Slashdot? People don't gain anything compromising your account here. I use the same pw on all sites...
HAHAHA Disregard that, I SUCK COCKS.