Slashdot Mirror
Password Resets Worse Than Reusing Old password
narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"
Even worse is that some of those system are freagin picky too.
You may know the answer. But it may be case sensitive, and fairly picky. "Whats your favorite food". Is it Curry, curry, curry chicken, Curry Chicken, chicken, Chicken?
I got locked out of my bank account because of that BS once (it wasn't a password reset though, it was a 2 step authentication, so it asked that on TOP of the password)
Fooled them. My first car was a Chevy!
Bridgekeeper: Stop. What is your name?
Galahad: Sir Galahad of Camelot.
Bridgekeeper: What is your quest?
Galahad: I seek the Grail.
Bridgekeeper: What is your favourite colour?
Galahad: Blue. No, yel...
I am the richest astronaut ever to win the superbowl.
For every web site that asks for a password I randomly generate one.
If they have the audacity to ask for personal information, I randomly generate that data too. What frustrates me is that now I have to store a series of name-value pairs - because some of these web sites insist on randomly asking me to confirm my identity on occasion with these profile questions.
What frustrates me even more is that most people are stupid enough to give random / anonymous web sites such personal info.. What if one of the questions was 'what is your VIN? What's your SSN'??? Would people ignorantly post that data too??
If the website requires a credit card, use this information for credentialling. If it's a community web site, use email responses - if the email is hijacked, the owner should be able to see the flood of change-password emails. I never understood the value-add of such personal-info bio-metric questions.
My bank uses a PIN in additional to the login. This actually makes sense to me - as PINs are generally easier to remember than my 10 digits random char-lists, but moreover it's at least honest about the purpose of these extra fields - and doesn't dupe people into leaving their pants down when the DB gets hacked one day.
-Michael
Especially for those who have their mother's maiden name as either a middle name or part of a hyphenated last name.
One man's -1 Flamebait is another man's +5 Funny.
My mother's maiden name was 12345
Comment removed based on user account deletion
Just lie on these questions! Put in answers you would know, but aren't factually correct.. =)
Simple solution..
-Myke
Or, "Where did you bury the body of your eleventh victim?"
These things are generally used for very low-security applications. My bank doesn't use them, stock trading sites don't use them, etc. And in many cases it would still be hard for a bad guy to take over your account this way. For instance, they may send you an email every time the password recovery feature is used on your account. A well designed site won't actually let you recover your old password, it will generate a link with a hash code in it that allows you to pick a new one; so the bad guy can't find out what your password used to be (which would be especially scary if you were in the habit of using the same password for lots of things), and if it's an account that you use frequently, you'll also find out quickly that something is wrong, because your password will no longer work. And I would guess they also have a limited number of times you can guess your dog's name wrong. But okay, suppose someone manages to get access to my amazon.com account this way. Is it really that horrible? I suppose they can set up a new shipping address, order some CDs, and have them sent there. So I just turn around and call my credit card company, and they reverse all the charges.
The typical slashdot user is really into using high-tech toys in sophisticated ways, but for the average person there really are severe usability issues with maintaining login and password combos, and these "what was your first pet's name" questions are a a not entirely unreasonable attempt to make things easier for that type of user. My mother in law visited us recently for a few weeks. She's had a history of dysfunctional relationships with her Windows machines (viruses, etc.), so I got her started on Linux. Her main application is that she plays an online scrabble game (not the famous facebook one). She'd been unable to use her virus-infested computer for a long time, so it had been a long time since she'd been able to play scrabble. I got her set up on a spare linux box in the family room, and the very first thing she wanted to do was get scrabble working. Well, she just couldn't remember her username and password for this server. Tried a bunch of things, no luck. She was bummed out, too, because she'd had a high rating, and creating a new account with a zero rating meant it would be hard for her to get games. It would have been a lot better, from her point of view, if she'd been able to tell them her dog's name and recover her password. Who the heck cares if it leaves her vulnerable to having her scrabble account taken over by evil Russian hackers with handlebar moustaches?
All of this might seem ridiculously easy to handle to us, but I could easily imagine myself having the same problem 10-15 years ago. It's not obvious to her how her email is nested inside her yahoo account, her yahoo account is inside her browser, and her browser is inside her OS. It's not obvious to her that the username and password she uses on yahoo are different from the ones she uses to log in to her linux account.
Find free books.
I was surprised recently when my back asked for all this type of information (i.e. childhood friend, first school), but didn't have me confirm a single field. There was just a single text field for each question. God help me if I fat-fingered one of the answers. Was my first school All City Elementary...or All City Elemntary? OH CARP!
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Yeah, that's what I want to use for a card with no spending limit, a datum easily discovered through public records.
I finally got hold of a real person, and he insisted I use my mother's birthday. I insisted that I would not. He finally had to get permission from a supervisor for me to use a random four digit string.
I understand, insisting on an easily remembered string probably reduces the number of support calls to reset pins, but at what cost?
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
The only set of questions that are any good are the set that you can make up yourself. At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'
They never tell you whether spaces count or not. I would like a password reset that involved two network methods: Okay, I change it, but it doesn't count until I send a text message from my phone too, or something like that. Verification via email is good, but off-net authentication would be better. I wouldn't even mind that kind of authentication for access on a regular basis, say if my account is accessed by a pc that either does not have a cookie already or that is not used normally to access my account. Picture or background validation is also good against phishing, but let me upload my own pic? please? No matter how random I make the pic, it will always be something I know, and can update regularly. I mean, what's better than a simple text graphic for background that simply says "fuck W" or some other phrase you will remember?
Security could be much simpler than it is, much better than it is. There seems to be no inspiration to implement it. That second network usage is invaluable. Give me a screen to pick one of several options (configured in preferences) such as cell, landline, SMS message, pager etc. I pick (and provide phone number) and you send the one-time authentication code that is in addition to my normal login credentials. It's easy really.
The same authentication security can be used for password resets. Send a temp password to pre-authorized off-net device or address, or let me set the new temp password via telephone etc. It really isn't that difficult.
Support NYCountryLawyer RIAA vs People
I had to be clubbed on the head to realize this obvious universal truth:
The answer to your "secret question" doesn't have to have anything to do with the stated question.
I got upset at my bank because they only had four questions they'd let me use. Oldest sibling's name. (only child?) First pet. (which one?) Town you grew up in? (which one?) favorite color (don't have one). The really crazy part is these were ALL questions. The bank will randomly challenge me with one of those questions.
After yet another challenge lockout, the rep kindly informed me to just treat the secret questions just like another password field, and put in whatever else you'd like for another password. I could even use the same answer for all the questions.
d'oh. That's easier simpler it looks.
It gets better. The "random" nature of the challenges was bugging me. The rep then said do you want to just make it ALWAYS challenge you? do it! Much better. I need consistency more than the random chance things are simpler. It always sends me looking for my password list when a forum or something I normally visit daily I miss for a few days and it logs me out. Having to enter the password for something every time you use it, and having to use it frequently, is much better for memorizing these things.
I work for the Department of Redundancy Department.
> The city you grew up in and your mother's maiden name can be derived from public records.
I grew up in Wei9Iequ. My mother's maiden name was ga4EeliY.
Or, if you insist on something easier to remember, make it Tanelorn and Gloriana.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
My wife's business website was routed to a porn site for three days a couple years ago. They transferred the domain from her account to their own account with another registrar, and pointed it to their own DNS servers.
They accessed her account by, you guessed it, compromising her primary email account using the "secret questions". As it turns out, the perpetrators knew all the right answers, because they were her ex-husband and his apparently-vindictive second wife.
They had unfettered access to her email account for over a year while they plotted this bit of nastiness. Such activity is a felony where we come from, but they moved out of the country before charges could be pressed.
Needless to say, my wife uses a bogus set of "secret" answers that even I don't know. Not that she's not trusting or anything... ;-)
Ask your doctor if getting up off your ass is right for you! -- Bill Maher
So use that as the question and Fuckwit as the answer. No problem. It's not as though anybody is going to check to see if the answer is a proper name or anything.
Actually, now that I think about it, there's no reason that there has to be any logical or rational connection between the question and answer, just as long as you remember what it is. I mean, is anybody at your bank going to complain if your answer to the question, "What city did you grow up in?" is, "Judy Garland," and if so, why?
Good, inexpensive web hosting
...but my password is always ); DROP TABLE user_accounts;
The game.
At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'
So use that as the question and Fuckwit as the answer. No problem. It's not as though anybody is going to check to see if the answer is a proper name or anything.
Right away, you see the problem with this approach. The GP wrote "fuckhead", and within 5 seconds of reading this, you already forgot that it was "fuckhead" and wrote "Fuckwit" instead. Not only did you get the word wrong, but you capitalized the "F" when the GP did not.
Actually, now that I think about it, there's no reason that there has to be any logical or rational connection between the question and answer, just as long as you remember what it is. I mean, is anybody at your bank going to complain if your answer to the question, "What city did you grow up in?" is, "Judy Garland," and if so, why?
Your bank isn't going to complain, but your future-self is going to. I got a bank account as a teenager, and one of the security questions was "What is your dream job". 10 years later, they asked me what I had put as my dream job. I completely blanked out. I remember I wanted to make videogames when I was a kid, so I tried "video game programmer", "videogame programmer", "game programmer", "game developer" and they were all rejected. Well, I was also in a rock band for a while, so I tried "rock star", "musician", etc. Nothing worked. In the end, I had to visit the bank in person, which meant taking some hours off of work, which was inconvenient because we were in an overtime crunch period.
And this was for a question that I assumed I had answered earnestly (as opposed to "growing up in Judy Garland"); except it was merely a question that didn't really have a great significance to me, and so my answer likely changed with time. So unless you really have a strong memory associated with "growing up in Judy Garland" (perhaps because of some sort of inside joke), it's probably best not to try to be "clever" with these security questions.
No one will ever guess that I just pick a question at random and give all the same answers.
Mother's Maiden Name: lando-calrissian
Favorite pet: lando-calrissian
Year you were born: lando-calrissian
Best friend: lando-calrissian
Guess that, suckers.
There's no place like
Well the easy solution is to use a random string of characters.
"My first pet was 4fgTY2k11."
Make sure you use numbers and both lower and upper case letters at least.
How are you gonna remember this in 10 years though? Easy! Store it in a file called "passwords.txt" in your My Documents folder. Works for me!
Seriously, I do reuse passwords -- I use the same pw for low-security sites (message boards, excluding slashdot)[...]
Why do you exclude Slashdot? People don't gain anything compromising your account here. I use the same pw on all sites...
HAHAHA Disregard that, I SUCK COCKS.