Forgot your password?
typodupeerror
Security IT

Password Resets Worse Than Reusing Old password 420

Posted by samzenpus
from the one-password-when-you're-born dept.
narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"
This discussion has been archived. No new comments can be posted.

Password Resets Worse Than Reusing Old password

Comments Filter:
  • by Anonymous Coward

    'The city you grew up in and your mother's maiden name can be derived from public records.'

    I don't know if you can find the city that you grew up in in public records, but I know that in Minnesota, I can get anybody that get your name, date of birth, place of birth, mother's maiden name, father's name from just a few clicks on the 'puter. (for free)

    Many folks put other personal details on their blogs or other places online and it doesn't take much to find quite a bit about their personal lives. Add that w

    • by PC and Sony Fanboy (1248258) on Wednesday August 13, 2008 @08:59PM (#24592947) Journal
      Yes, it is available through public record. But that isn't enough! What if your siblings like to play pranks on you, or if your mother is trying to get you to move out of your basement?

      How do I protect myself from THEM?!
      • by ozbon (99708) on Thursday August 14, 2008 @07:35AM (#24597115) Homepage

        Simple - just because that's what the form has asked for, it doesn't mean that's the data you have to put in.

        Mother's maiden name? "Han solo"
        First Pet? "Giraffe"
        First car? "Slashdot"

        I don't think I've *ever* put in the correct answers to those questions. So long as the answers are known to you, and you remember what you put against what, then what does it matter?

    • by zappepcs (820751) on Wednesday August 13, 2008 @09:07PM (#24593053) Journal

      The only set of questions that are any good are the set that you can make up yourself. At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'

      They never tell you whether spaces count or not. I would like a password reset that involved two network methods: Okay, I change it, but it doesn't count until I send a text message from my phone too, or something like that. Verification via email is good, but off-net authentication would be better. I wouldn't even mind that kind of authentication for access on a regular basis, say if my account is accessed by a pc that either does not have a cookie already or that is not used normally to access my account. Picture or background validation is also good against phishing, but let me upload my own pic? please? No matter how random I make the pic, it will always be something I know, and can update regularly. I mean, what's better than a simple text graphic for background that simply says "fuck W" or some other phrase you will remember?

      Security could be much simpler than it is, much better than it is. There seems to be no inspiration to implement it. That second network usage is invaluable. Give me a screen to pick one of several options (configured in preferences) such as cell, landline, SMS message, pager etc. I pick (and provide phone number) and you send the one-time authentication code that is in addition to my normal login credentials. It's easy really.

      The same authentication security can be used for password resets. Send a temp password to pre-authorized off-net device or address, or let me set the new temp password via telephone etc. It really isn't that difficult.

      • by cjb658 (1235986) on Wednesday August 13, 2008 @10:01PM (#24593507) Journal

        There are a lot of sites I don't want to give my phone number to.

      • by techno-vampire (666512) on Wednesday August 13, 2008 @10:41PM (#24593907) Homepage
        At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'

        So use that as the question and Fuckwit as the answer. No problem. It's not as though anybody is going to check to see if the answer is a proper name or anything.

        Actually, now that I think about it, there's no reason that there has to be any logical or rational connection between the question and answer, just as long as you remember what it is. I mean, is anybody at your bank going to complain if your answer to the question, "What city did you grow up in?" is, "Judy Garland," and if so, why?

        • by zappepcs (820751) on Wednesday August 13, 2008 @11:00PM (#24594063) Journal

          Dude, you don't get it ROFL
          If you can't get logged in, when you call their help desk they ask you the questions! You have to give some soft spoken girl the answers... ROFLMFAO

          I thought about 'eatshitcunt' as an answer, but that just wouldn't work out right

        • by UncleTogie (1004853) * on Wednesday August 13, 2008 @11:11PM (#24594165) Homepage Journal

          Actually, now that I think about it, there's no reason that there has to be any logical or rational connection between the question and answer, just as long as you remember what it is. I mean, is anybody at your bank going to complain if your answer to the question, "What city did you grow up in?" is, "Judy Garland," and if so, why?

          Dang. Busted.

          This is one of my fave tricks. I have a standard set of answers to match those questions, and as you indicated, they have NOTHING to do with the question. Simple, basic, and with multiple possible answers per question, I just try the first, then second if the first doesn't work, etc....

        • by Nebu (566313) <nebu&gta,igs,net> on Wednesday August 13, 2008 @11:35PM (#24594361) Homepage

          At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'

          So use that as the question and Fuckwit as the answer. No problem. It's not as though anybody is going to check to see if the answer is a proper name or anything.

          Right away, you see the problem with this approach. The GP wrote "fuckhead", and within 5 seconds of reading this, you already forgot that it was "fuckhead" and wrote "Fuckwit" instead. Not only did you get the word wrong, but you capitalized the "F" when the GP did not.

          Actually, now that I think about it, there's no reason that there has to be any logical or rational connection between the question and answer, just as long as you remember what it is. I mean, is anybody at your bank going to complain if your answer to the question, "What city did you grow up in?" is, "Judy Garland," and if so, why?

          Your bank isn't going to complain, but your future-self is going to. I got a bank account as a teenager, and one of the security questions was "What is your dream job". 10 years later, they asked me what I had put as my dream job. I completely blanked out. I remember I wanted to make videogames when I was a kid, so I tried "video game programmer", "videogame programmer", "game programmer", "game developer" and they were all rejected. Well, I was also in a rock band for a while, so I tried "rock star", "musician", etc. Nothing worked. In the end, I had to visit the bank in person, which meant taking some hours off of work, which was inconvenient because we were in an overtime crunch period.

          And this was for a question that I assumed I had answered earnestly (as opposed to "growing up in Judy Garland"); except it was merely a question that didn't really have a great significance to me, and so my answer likely changed with time. So unless you really have a strong memory associated with "growing up in Judy Garland" (perhaps because of some sort of inside joke), it's probably best not to try to be "clever" with these security questions.

          • by Anonymous Coward on Thursday August 14, 2008 @02:27AM (#24595449)

            Well the easy solution is to use a random string of characters.

            "My first pet was 4fgTY2k11."

            Make sure you use numbers and both lower and upper case letters at least.

            How are you gonna remember this in 10 years though? Easy! Store it in a file called "passwords.txt" in your My Documents folder. Works for me!

          • Re: (Score:3, Interesting)

            by toleraen (831634) *

            I got a bank account as a teenager, and one of the security questions was "What is your dream job". 10 years later, they asked me what I had put as my dream job.

            This is what drives me nuts. When most places have a series of questions to select from it's always mothers maiden/first car/etc, which I never want to answer. If they do have something other than those, it's "What's your favorite author/movie/food/band". Well that's helpful, it's whatever book I just read / movie I just saw / what I'm making for dinner / what's going through my headphones. Three weeks later, they're useless.

            It's forgetting those types of answers that drove me to using a generic answer f

    • by EmbeddedJanitor (597831) on Wednesday August 13, 2008 @10:06PM (#24593545)
      Remember what the goals are folks: giving the user a perceived sense of security and making a simple to use mechanism so that you don't end up having to deal with tons of helpdesk/support calls. On those criteria the current mechanisms are great.

      That the perception does not match reality is of lesser consequence for the site admin.

  • Even worse... (Score:5, Interesting)

    by Shados (741919) on Wednesday August 13, 2008 @08:28PM (#24592659)

    Even worse is that some of those system are freagin picky too.

    You may know the answer. But it may be case sensitive, and fairly picky. "Whats your favorite food". Is it Curry, curry, curry chicken, Curry Chicken, chicken, Chicken?

    I got locked out of my bank account because of that BS once (it wasn't a password reset though, it was a 2 step authentication, so it asked that on TOP of the password)

    • Re:Even worse... (Score:5, Insightful)

      by Wrath0fb0b (302444) on Wednesday August 13, 2008 @08:40PM (#24592773)

      Unless your time is worth more than $2000/hr, better locked and inconvenienced than compromised.

      • by Shados (741919)

        Of course, I cannot put non-alphanumeric characters or more than 9 characters in my password.

        So its kind of inconsistant.

        • Re: (Score:3, Interesting)

          by camken (568412)
          i prefer using barcode passwords with a barcode reader.. easier than remembering them, and i can keep a 'list' of my passwords in my wallet which, even if stolen, still most likely wouldn't mean anything as i use shorthand to describe everything and the barcodes aren't printed alongside (usually i use stuff like my pack of cigarettes, a can of beer, etc) and if i ever need to get a password hint from a site i fill out the answer as the object i used to generate the password.. the nice thing is that they're
      • Re:Even worse... (Score:4, Interesting)

        by Nebu (566313) <nebu&gta,igs,net> on Wednesday August 13, 2008 @11:27PM (#24594299) Homepage

        Unless your time is worth more than $2000/hr, better locked and inconvenienced than compromised.

        You can't just look at the gain/loss of the two alternatives and decide which is better merely from that. You also have to take into account the probability, and multiply the gain/lost by the probability.

        For example, if you make $40/h, and you access your bank account 5 times a month, and it takes you an extra 60 seconds, because of the inconvenience of the added "security" questions, and if you still have a good 30 years of employment left, then over your life, the questions would have cost you $1200, and that's assuming you never get a raise. The security questions are always there, so you have a 100% chance of being inconvenienced each time you try to access your account.

        Most people don't get their bank accounts broken into, even without security questions. Let's be pessimistic and imagine 1 out of 1000 people who don't have security questions get hacked. Let's say the security questions are really secure (i.e. not merely "what is your maiden's name") and they actually halve the chance of getting hacked, even though you post a lot of your personal information such as your favorite color, or your dog's name on Facebook. If you only ever keep about $5000 in your bank, then the security question have lowered your risk from 0.1% (i.e. $5) to 0.05% (i.e. $2.50)

        So would you rather get $1200, or $2.50?

    • by liquidpele (663430) on Wednesday August 13, 2008 @08:46PM (#24592841) Journal
      hahaha... this reminds me of when I forgot my username to my online bank!
      I called in, and explained I couldn't remember my username. They asked me what I thought it was, and I told them. Then they said, "that's part of it.. what else might be there?" and I said "wel...." and named a number. They said "that's one of the numbers.. what is the other one?"... So I said "you can't just tell me?" and they said "no, I can only tell you that it's right or wrong" so I named off all 10 numbers until I got the last one right...

      Dumb thing was, I remembered afterwards that I only added those numbers because they *required* numbers in their USERNAME... sigh.. stupid banks.
      • Re: (Score:2, Funny)

        by Tubal-Cain (1289912)

        Let me guesss... 42? 1337? 3.141592653589793helpimtrappedinauniversefactory7108914...?

      • by eugene ts wong (231154) on Thursday August 14, 2008 @01:10AM (#24595037) Homepage Journal

        You're lucky. I'm still confused by what happened to me.

        He said, "Mr. Wong, your confirmation question is, 'What did Eve first say, when she saw Adam?'.".

        "Hmm, that's a tough 1."

        "Yes, that is correct. Now, the deciphering question is, 'How does a foobar ask a question?'.".

        "What?"

        "Yes, that is correct. Will there be anything else for you today, Mr. Wong?".

    • by Beolach (518512)
      You either didn't follow the link [blue-moon-...cation.com] in the blurb, or you're referring to some of the existing systems - in which case I agree w/ you. The way they [blue-moon-...cation.com] did it was a setup step, where you selected 8 likes and 8 dislikes. Then when you need to authenticate, it shuffles those 16 items, and you select whether you like or dislike each item - no spelling required.
    • you could just always make sure to use the same case regardless of it being a proper noun or not. for example if the question is "What was the name of the city in which you went to first grade?" and the city is let's say "St. Petersburg" you would just always use "st petersburg" using all lower case and omitting any punctuation. Easy to recall as there is never any variation. Maybe it reduces security but do you want to actually use the service? If not, cancel your online account.

      KISS - keep it simple [stup

    • by Nushio (951488) on Wednesday August 13, 2008 @10:29PM (#24593787) Homepage
      Thats why I use random gibberish as a question, and rot13 that and use as the answer.

      Posting anonymously because I don't want you to look into my accounts and attempt to get into them!
  • HA! (Score:5, Funny)

    by Dice (109560) on Wednesday August 13, 2008 @08:29PM (#24592661)

    Fooled them. My first car was a Chevy!

  • by CorporateSuit (1319461) on Wednesday August 13, 2008 @08:30PM (#24592679)
    Bridgekeeper: Stop. What is your name?
    Galahad: Sir Galahad of Camelot.
    Bridgekeeper: What is your quest?
    Galahad: I seek the Grail.
    Bridgekeeper: What is your favourite colour?
    Galahad: Blue. No, yel...
    • by jonaskoelker (922170) <jonaskoelker@ g n u .org> on Thursday August 14, 2008 @02:56AM (#24595589) Homepage

      Truth is, preferences are *not* stable; my tastes in music have changed over the last ten years. I recall answering a "what's your favorite band" question to get my password, and I had to think back and guess who I was a fanboy of at the time I decided what the answer should be.

      Adding to that, preferences are not particularly secret. Here's the pepsi challenge: I'm male, I read slashdot. Use that to figure out which eight of these I like, and which eight I dislike:

      Video games, Casino gambling, Fashion, Watching figure skating, Reality shows, Skating, Going to libraries, Playing golf, Heavy Metal music, Reading comics, Going to bookstores, Gaming, Cats, Documentaries, Watching golf, Watching bowling.

      I haven't chosen any of them to be easy to guess, just some preferences I feel I could remember. Note also that there's [16 choose 8] possible answers, or 16!/8!/8! = 12870. That's less than 14 bits of randomness; choices are highly likely to be non-uniform and non-independent, so expect less than 14 bits.

      Here's some of my likes that are "obvious" from my reading Slashdot: [Video games, Going to libraries, Reading comics, Going to bookstores, Gaming, Documentaries]. Now you only have to find the remaining two likes, among ten options. Note that 10 choose 2 is 10!/8!/2! = 45. Say after three wrongs you're locked out for an hour. Ooh, it's going to take a whole fiften hours to crack me and steal all my monies. (OMG monies).

      Even if you disagree on what's obvious about my likes, it seems like you could order them from most to least likely and my fellow slashdotters would still be _roughly_ in agreement. Try all combinations of likes and dislikes from most to least likely; there's your cracking algorithm.

      (the remaining ones are cats and heavy metal)

  • by Kingrames (858416)

    In most cases being able to reset password with a question like "what's your mother's maiden name?" is worse than making your password "12345".

    • Re:pff (Score:5, Insightful)

      by OECD (639690) on Wednesday August 13, 2008 @08:40PM (#24592769) Journal
      Especially for those who have their mother's maiden name as either a middle name or part of a hyphenated last name.
    • Re:pff (Score:5, Funny)

      by jgtg32a (1173373) on Wednesday August 13, 2008 @08:41PM (#24592779)
      My mother's maiden name was 12345
      • Re: (Score:2, Funny)

        by Anonymous Coward
        ...you insensitive clod?
      • Re: (Score:3, Interesting)

        by iocat (572367)
        Mine was "Password." It's horrible.

        Seriously, I do reuse passwords -- I use the same pw for low-security sites (message boards, excluding slashdot), but increasingly obscure unique ones for more highly secure sites and uses.

        My favorite pw creation scheme is to take a sentence that's easy to remember a la "I grew up in Boston, Mass, 02120," from which I derive IgUiBm)2!2), which is a fairly secure pw -- it's easier to remember a sentence than it is single complex word (at least for me).

        • Re: (Score:3, Interesting)

          by CastrTroy (595695)
          A friend of mine used to generate passwords by coming up with a work, and interleaving it with a number. So, let's say you have the word house, and the number 12345, which are both brutually easy to guess passwords, and when you combine them you get h1o2u3s4e5. Which would probably be a pretty secure password. Mix in a couple of shift keys, and you end up with h1O@u3S$e5, which is probably even less likely to be broken by any dictionary attach. Now in reality you would choose words and numbers that are ev
        • Re:pff (Score:5, Funny)

          by Catil (1063380) * on Thursday August 14, 2008 @05:11AM (#24596323)

          Seriously, I do reuse passwords -- I use the same pw for low-security sites (message boards, excluding slashdot)[...]

          Why do you exclude Slashdot? People don't gain anything compromising your account here. I use the same pw on all sites...

      • Re: (Score:2, Funny)

        by punterjoe (743063)
        I'm with you. As far as these security bots are concerned, my mother's maiden name was sodoff. I imagine people just think she was Russian & not that I'm cursing at the stupid question. :D
      • My mother's maiden name was 12345

        ahh, then you must be C3PO!

    • by sconeu (64226)

      My mother's maiden name was #$@DD$#$21

    • by kesuki (321456)

      unless you lie, and use a fictitious name like 'frodo baggins' i noticed years ago that the 'security' question was inherently insecure, so i started using false answers only i would remember. try to steal my account by researching my first pets name, you won't get it right hah! this can bite people who can't remember what they used though, i like that some sites now have 'put in your own question' now. makes it easier.

      • > ...this can bite people who can't remember what they used though...

        There is a simple solution to that" Write it down (I know: heresy!)

      • Re: (Score:2, Insightful)

        by cortesoft (1150075)
        If you are able to remember random fake answers to questions, then you probably aren't going to be the type who needs to reset your password. Resetting your password is only something that matters if you have trouble remembering random secure things anyway. You basically just have two passwords now, either of which can open your account (which may or may not be all you are looking for).
  • by Average_Joe_Sixpack (534373) on Wednesday August 13, 2008 @08:31PM (#24592685)
    I just use the current month and then the year.
  • People actually enter their real information? I just put a password that I know well.
    • by skiingyac (262641)

      My mother's maiden name is Smith, of all things. That is certainly NOT what I ever put down on anything since I too realized long ago this wasn't secure. But, the design of those questions definitely does encourage you to pick the simplest question and the simplest answer, which is what the vast majority of people will (continue to) do.

  • by maraist (68387) * <michael@maraistNO.SPAMgmail@n0spam@com> on Wednesday August 13, 2008 @08:35PM (#24592727) Homepage

    For every web site that asks for a password I randomly generate one.

    If they have the audacity to ask for personal information, I randomly generate that data too. What frustrates me is that now I have to store a series of name-value pairs - because some of these web sites insist on randomly asking me to confirm my identity on occasion with these profile questions.

    What frustrates me even more is that most people are stupid enough to give random / anonymous web sites such personal info.. What if one of the questions was 'what is your VIN? What's your SSN'??? Would people ignorantly post that data too??

    If the website requires a credit card, use this information for credentialling. If it's a community web site, use email responses - if the email is hijacked, the owner should be able to see the flood of change-password emails. I never understood the value-add of such personal-info bio-metric questions.

    My bank uses a PIN in additional to the login. This actually makes sense to me - as PINs are generally easier to remember than my 10 digits random char-lists, but moreover it's at least honest about the purpose of these extra fields - and doesn't dupe people into leaving their pants down when the DB gets hacked one day.

    • by LighterShadeOfBlack (1011407) on Wednesday August 13, 2008 @08:45PM (#24592821) Homepage

      My bank uses a PIN in additional to the login. This actually makes sense to me - as PINs are generally easier to remember than my 10 digits random char-lists, but moreover it's at least honest about the purpose of these extra fields - and doesn't dupe people into leaving their pants down when the DB gets hacked one day.

      So you think someone is going to hack the login database for a bank and is going to be focusing on the fact that your first pet's name was Mittens?

      • Forget that. There are many rewards points cards (frequentl flyer, grocery stores) etc. that ask for your mother's maiden name. I always fill out a fake one. If my card gets lots, it better to lose the few points I get than to give them right info I remember.

    • by strabes (1075839) on Wednesday August 13, 2008 @08:55PM (#24592913)
      Just a question: How do you keep track of all the different passwords of all the different websites which you sign into?
      • Re: (Score:3, Informative)

        by ednopantz (467288)

        How do you keep track of all the different passwords of all the different websites which you sign into?

        Use keypass [keepass.info] or another key storage system.

        Now, if it had an automagical firefox plugin that would let me create a strong password for a site and store it in my key database, that would rock.

      • by jcgf (688310) on Wednesday August 13, 2008 @09:09PM (#24593071)
        He uses post-it notes stuck to his monitor.
        • by strabes (1075839)
          Come on, let's get real. That won't stop the NSA.
        • Re: (Score:3, Insightful)

          by John Hasler (414242)

          Which, in many circumstances, is an entirely reasonable thing to do. In others that might not be safe but it would be ok to write the passwords down and put them in your wallet. It depends on the threat model.

    • by Prien715 (251944) <agnosticpope AT gmail DOT com> on Wednesday August 13, 2008 @09:36PM (#24593315) Homepage Journal

      I use them all the time. And I fill them out with information of a fictional character.

      Say, I'll put my name as Bilbo Baggains (actually using Brado Bompkins or something similar) and my hometown as "The Shire" and "bacon" as my favorite food. This lets me use unique information and track it. So if a site emails me and says "Hey Bilbo, you just won a new car!" I can tell you who exactly sold my email address.

  • by hack slash (1064002) on Wednesday August 13, 2008 @08:41PM (#24592777)
    I recently bought a domain+hosting space from a well known site, one that I don't ever recall buying domains from in the past (even searched through years worth of emails - nothing), and when signing up for a new account I was unexpectedly greeted with "that email address is already in use".

    So I did went to the password retreival page, entered in my email address and it asked me the stupidest hint question (for me) ever: "What was the make of your first car?", it didn't make sense at all because I still haven't bought my first car!
  • by Zekasu (1059298) on Wednesday August 13, 2008 @08:42PM (#24592793)

    Many websites allow you to use your own question, rather than a preset one. "What is the movie you'd most relate to your high school career?"

    "What was the name of craziest teacher you had?"

    Better yet, "On Tuesday mornings, which newspaper did you always use to cut out little robot people?"

  • Just lie! (Score:5, Insightful)

    by xanadu113 (657977) on Wednesday August 13, 2008 @08:54PM (#24592905) Homepage
    Just lie on these questions! Put in answers you would know, but aren't factually correct.. =)

    Simple solution..
    • by Nebu (566313) <nebu&gta,igs,net> on Wednesday August 13, 2008 @11:40PM (#24594413) Homepage

      Just lie on these questions! Put in answers you would know, but aren't factually correct.. =)

      I have enough trouble remembering the factually correct answers (when the hell is my birthday again?), nevermind the lies.

    • by knarfling (735361)

      But then you have to remember the lie.

      For example, if I was born in Boston, and they ask for my birth city, Did I answer New York, Atlanta, or Tampa? Or did I put in something completely different like Tatooine, Emrald City, or Ceti Alpha 5(6)? Or did I put in nonsense answers like phaser, light sabre, laptop, or even lkuso1iga133662?

      Which lie did I tell on this web site, and it is the same lie I told on my banking web site?

  • by bcrowell (177657) on Wednesday August 13, 2008 @08:58PM (#24592931) Homepage

    These things are generally used for very low-security applications. My bank doesn't use them, stock trading sites don't use them, etc. And in many cases it would still be hard for a bad guy to take over your account this way. For instance, they may send you an email every time the password recovery feature is used on your account. A well designed site won't actually let you recover your old password, it will generate a link with a hash code in it that allows you to pick a new one; so the bad guy can't find out what your password used to be (which would be especially scary if you were in the habit of using the same password for lots of things), and if it's an account that you use frequently, you'll also find out quickly that something is wrong, because your password will no longer work. And I would guess they also have a limited number of times you can guess your dog's name wrong. But okay, suppose someone manages to get access to my amazon.com account this way. Is it really that horrible? I suppose they can set up a new shipping address, order some CDs, and have them sent there. So I just turn around and call my credit card company, and they reverse all the charges.

    The typical slashdot user is really into using high-tech toys in sophisticated ways, but for the average person there really are severe usability issues with maintaining login and password combos, and these "what was your first pet's name" questions are a a not entirely unreasonable attempt to make things easier for that type of user. My mother in law visited us recently for a few weeks. She's had a history of dysfunctional relationships with her Windows machines (viruses, etc.), so I got her started on Linux. Her main application is that she plays an online scrabble game (not the famous facebook one). She'd been unable to use her virus-infested computer for a long time, so it had been a long time since she'd been able to play scrabble. I got her set up on a spare linux box in the family room, and the very first thing she wanted to do was get scrabble working. Well, she just couldn't remember her username and password for this server. Tried a bunch of things, no luck. She was bummed out, too, because she'd had a high rating, and creating a new account with a zero rating meant it would be hard for her to get games. It would have been a lot better, from her point of view, if she'd been able to tell them her dog's name and recover her password. Who the heck cares if it leaves her vulnerable to having her scrabble account taken over by evil Russian hackers with handlebar moustaches?

    All of this might seem ridiculously easy to handle to us, but I could easily imagine myself having the same problem 10-15 years ago. It's not obvious to her how her email is nested inside her yahoo account, her yahoo account is inside her browser, and her browser is inside her OS. It's not obvious to her that the username and password she uses on yahoo are different from the ones she uses to log in to her linux account.

  • by Sir Holo (531007)
    "And very few preferences are recorded in public databases.'"

    Yet.
  • by Itninja (937614) on Wednesday August 13, 2008 @08:59PM (#24592951) Homepage
    I was surprised recently when my back asked for all this type of information (i.e. childhood friend, first school), but didn't have me confirm a single field. There was just a single text field for each question. God help me if I fat-fingered one of the answers. Was my first school All City Elementary...or All City Elemntary? OH CARP!
  • The first and obvious is that those "reminder" pages usually draw from a limited set of possible answers. What's your favorite color? If you're a man, you know about 6 ("peach" is no color, it's a fruit!). So, and this gets us to the second problem, keep trying, they usually also don't have limited amounts of attempts. Yellow, blue, green, red, black, white... you're prone to stumble upon the right one eventually.

    The worst reminder question I ever had was "what's the last 4 digits on your credit card?" Besi

  • I have a fake mother's maiden name that I use for online forms (as well as offline forms where I feel the organization in question has no fucking need to know the correct answer). I have a fake first car answer, a fake best friend answer, and a fake city where I was born. I use the same ones consistently for all my password reset questions.
  • by AJNeufeld (835529) on Wednesday August 13, 2008 @09:05PM (#24593015)
    Is this really that much of a security issue? The new password is sent to your registered e-mail address, and only if you log in with the new password will your old password be changed. Otherwise, your password remains unchanged. So, unless the e-mail is sniffed in transit, or your e-mail account has been hacked, this shouldn't be an issue.
    • Re: (Score:3, Insightful)

      by mr_mischief (456295)

      I'd be less worried about your individual email account and more worried about that Exchange installation on the NT4 box in the janitor's closet that your employer uses as a mail server. Having everyone's password reset data is better and often easier than having just yours.

      On lower-security sites like this, I tend to send a password reset link with a long (about 40 character) random string as part of the URL that is good for 24 hours, until the password is reset, or the "I did not request this reset" link

  • a 1969 Pontiac GTO, wait, you did not read that!
  • American Express... (Score:5, Informative)

    by roc97007 (608802) on Wednesday August 13, 2008 @09:07PM (#24593049) Journal

    ...wouldn't activate my card until I created a pin. They wanted me to use the month and day of my mother's birthday. I tried random digits, but -- fer chrissake -- the menu system would only take digits that were valid dates.

    Yeah, that's what I want to use for a card with no spending limit, a datum easily discovered through public records.

    I finally got hold of a real person, and he insisted I use my mother's birthday. I insisted that I would not. He finally had to get permission from a supervisor for me to use a random four digit string.

    I understand, insisting on an easily remembered string probably reduces the number of support calls to reset pins, but at what cost?

  • by v1 (525388) on Wednesday August 13, 2008 @09:08PM (#24593059) Homepage Journal

    I had to be clubbed on the head to realize this obvious universal truth:

    The answer to your "secret question" doesn't have to have anything to do with the stated question.

    I got upset at my bank because they only had four questions they'd let me use. Oldest sibling's name. (only child?) First pet. (which one?) Town you grew up in? (which one?) favorite color (don't have one). The really crazy part is these were ALL questions. The bank will randomly challenge me with one of those questions.

    After yet another challenge lockout, the rep kindly informed me to just treat the secret questions just like another password field, and put in whatever else you'd like for another password. I could even use the same answer for all the questions.

    d'oh. That's easier simpler it looks.

    It gets better. The "random" nature of the challenges was bugging me. The rep then said do you want to just make it ALWAYS challenge you? do it! Much better. I need consistency more than the random chance things are simpler. It always sends me looking for my password list when a forum or something I normally visit daily I miss for a few days and it logs me out. Having to enter the password for something every time you use it, and having to use it frequently, is much better for memorizing these things.

  • Easier to defeat (Score:4, Interesting)

    by MasterOfDisaster (248401) <kristopf&gmail,com> on Wednesday August 13, 2008 @09:10PM (#24593085) Homepage Journal

    I would think it would be easier to find out my preferences from looking at my Facebook page than it would be to determine my mother's maiden name, best friend's name or what my first car was - you won't find any of that information spelled out clearly on facebook, but you would be able to look at my "Interests" to see what type of music, tv or foods I liked or view my pictures and see plenty of photos of me in art galleries and raves, but none at sporting events, for example.

    Plus, as everyone knows, a multiple choice test is much easier to pass by answering randomly than a something where you have to fill in the blanks.

  • So what's the definition of "password reset"? I'd started off assuming that it refers to one of those "I forgot my password" thingies. But the few times I've used one of those (usually helping a friend get a new password, actually), the result has always been for the site to email a new password that was random and unpronouncable, plus a link to change the password.

    Are there sites that actually set your password to one of these personal-info strings? If so, that's incredibly demented behavior on their pa

    • Re: (Score:3, Interesting)

      by bill_mcgonigle (4333) *

      E-mail'ed passwords aren't panacea either. People leave their non-SSL e-mail clients connected all the time on wireless, for instance.

      The idea is that you do all of your password reset online. The quality of this system varies widely, and by widely I mean almost all of them are on the "crap" side. So, if you want to get somebody's account, you force three bad logins and answer what the name of their pet dog is, and defeat their 20-digit alphanumeric pasword. I kid, but only half.

      There are plenty of rese

  • Lie (Score:5, Informative)

    by John Hasler (414242) on Wednesday August 13, 2008 @09:20PM (#24593149) Homepage

    > The city you grew up in and your mother's maiden name can be derived from public records.

    I grew up in Wei9Iequ. My mother's maiden name was ga4EeliY.

    Or, if you insist on something easier to remember, make it Tanelorn and Gloriana.

    • Re: (Score:3, Funny)

      by greg1104 (461138)

      Making up your own answers like the ones you suggest might seem fine, but just you wait until someone at the bank challenges you on the phone with to confirm your answer to "what's your favorite sport?" and you have to answer "Moorcock".

  • by EWillieL (15339) * on Wednesday August 13, 2008 @09:23PM (#24593179)

    My wife's business website was routed to a porn site for three days a couple years ago. They transferred the domain from her account to their own account with another registrar, and pointed it to their own DNS servers.

    They accessed her account by, you guessed it, compromising her primary email account using the "secret questions". As it turns out, the perpetrators knew all the right answers, because they were her ex-husband and his apparently-vindictive second wife.

    They had unfettered access to her email account for over a year while they plotted this bit of nastiness. Such activity is a felony where we come from, but they moved out of the country before charges could be pressed.

    Needless to say, my wife uses a bogus set of "secret" answers that even I don't know. Not that she's not trusting or anything... ;-)

  • by toby (759) * on Wednesday August 13, 2008 @09:35PM (#24593305) Homepage Journal
    See How NOT to use 'secret questions' [girtby.net] about the bad authentication design of an Australian government web site.
  • ..that people might actually give an honest answer to questions like 'mothers maiden name?'

    And what about 'first pet?' - I never had a PET as such, my first computer was a TRS80
    I did have a C=64 which was a direct descendant of the Personal Electrouic Transactor

    Those questions are just prompts, you are't expected to provide a answer that is correct, just the same as what you originally typed in.

    And then they send you the NEW password to your Email address. If you used a SECURE email account in the first pla

  • Couldnt login! Was trying to login to the wrong username (who shared my name), and the guys secret question was "lager?". Of course the answer was "yes". :/

    That probably makes me guilty of all kinds of nasty shit by accident :P

  • by Thaelon (250687) on Wednesday August 13, 2008 @09:53PM (#24593447)

    Neither password reuse nor password reset questions are as bad as passwords that expire.

    Seriously, everybody knows you pick one password then increment the number on the end. To make matters worse, companies will often shove network drives down your throat via the domain policy, that, once your password changes, lock you out of everything. Security through inconvenience of your authorized users. Great!

  • by thatskinnyguy (1129515) on Wednesday August 13, 2008 @11:25PM (#24594289)
    ...but my password is always ); DROP TABLE user_accounts;
  • hashapass.com (Score:3, Informative)

    by robonasty (1305315) on Wednesday August 13, 2008 @11:33PM (#24594335)
    I use this [hashapass.com] to generate passwords. Since one master password yields different outputs for each parameter (i.e. slashdot, hotmail) I'm confident I won't forget a password, so I'm safe typing gibberish into the question fields.
  • Workaround (Score:3, Funny)

    by d_54321 (446966) on Wednesday August 13, 2008 @11:33PM (#24594339) Journal

    I've got a great work around.

    In fields like "Mother's maiden name:", just enter "mothersmaidenname".

    Not derivable from any of your public records, and nobody would ever guess it.

    Try it.

  • Some woman giving a 401K presentation at my work was talking about their website and how they have the question/answer fall back for when you forget your password. She said not to use a question with a simple, possibly well known answer like "What's your favorite color?" I piped up with my answer, "Fish!"

    The point is, just because the question is constant, the answer doesn't have to be, it can basically be a second password.

"Indecision is the basis of flexibility" -- button at a Science Fiction convention.

Working...