Password Resets Worse Than Reusing Old password 420
narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"
Well (Score:1, Insightful)
I came up with a standard set of bullshit 10 years ago. I use it to this day. By the way, my first pet was named cfeadr3.
I NEVER use these fields (Score:5, Insightful)
For every web site that asks for a password I randomly generate one.
If they have the audacity to ask for personal information, I randomly generate that data too. What frustrates me is that now I have to store a series of name-value pairs - because some of these web sites insist on randomly asking me to confirm my identity on occasion with these profile questions.
What frustrates me even more is that most people are stupid enough to give random / anonymous web sites such personal info.. What if one of the questions was 'what is your VIN? What's your SSN'??? Would people ignorantly post that data too??
If the website requires a credit card, use this information for credentialling. If it's a community web site, use email responses - if the email is hijacked, the owner should be able to see the flood of change-password emails. I never understood the value-add of such personal-info bio-metric questions.
My bank uses a PIN in additional to the login. This actually makes sense to me - as PINs are generally easier to remember than my 10 digits random char-lists, but moreover it's at least honest about the purpose of these extra fields - and doesn't dupe people into leaving their pants down when the DB gets hacked one day.
Re:pff (Score:5, Insightful)
Re:Even worse... (Score:5, Insightful)
Unless your time is worth more than $2000/hr, better locked and inconvenienced than compromised.
Just lie! (Score:5, Insightful)
Simple solution..
generally used for low-security applications (Score:5, Insightful)
These things are generally used for very low-security applications. My bank doesn't use them, stock trading sites don't use them, etc. And in many cases it would still be hard for a bad guy to take over your account this way. For instance, they may send you an email every time the password recovery feature is used on your account. A well designed site won't actually let you recover your old password, it will generate a link with a hash code in it that allows you to pick a new one; so the bad guy can't find out what your password used to be (which would be especially scary if you were in the habit of using the same password for lots of things), and if it's an account that you use frequently, you'll also find out quickly that something is wrong, because your password will no longer work. And I would guess they also have a limited number of times you can guess your dog's name wrong. But okay, suppose someone manages to get access to my amazon.com account this way. Is it really that horrible? I suppose they can set up a new shipping address, order some CDs, and have them sent there. So I just turn around and call my credit card company, and they reverse all the charges.
The typical slashdot user is really into using high-tech toys in sophisticated ways, but for the average person there really are severe usability issues with maintaining login and password combos, and these "what was your first pet's name" questions are a a not entirely unreasonable attempt to make things easier for that type of user. My mother in law visited us recently for a few weeks. She's had a history of dysfunctional relationships with her Windows machines (viruses, etc.), so I got her started on Linux. Her main application is that she plays an online scrabble game (not the famous facebook one). She'd been unable to use her virus-infested computer for a long time, so it had been a long time since she'd been able to play scrabble. I got her set up on a spare linux box in the family room, and the very first thing she wanted to do was get scrabble working. Well, she just couldn't remember her username and password for this server. Tried a bunch of things, no luck. She was bummed out, too, because she'd had a high rating, and creating a new account with a zero rating meant it would be hard for her to get games. It would have been a lot better, from her point of view, if she'd been able to tell them her dog's name and recover her password. Who the heck cares if it leaves her vulnerable to having her scrabble account taken over by evil Russian hackers with handlebar moustaches?
All of this might seem ridiculously easy to handle to us, but I could easily imagine myself having the same problem 10-15 years ago. It's not obvious to her how her email is nested inside her yahoo account, her yahoo account is inside her browser, and her browser is inside her OS. It's not obvious to her that the username and password she uses on yahoo are different from the ones she uses to log in to her linux account.
Re:Use consistent fakes (Score:3, Insightful)
Re:pff (Score:2, Insightful)
Re:Are there any good solutions? (Score:4, Insightful)
There are a lot of sites I don't want to give my phone number to.
Yes there are great solutions! (Score:4, Insightful)
That the perception does not match reality is of lesser consequence for the site admin.
Re:I NEVER use these fields (Score:3, Insightful)
Which, in many circumstances, is an entirely reasonable thing to do. In others that might not be safe but it would be ok to write the passwords down and put them in your wallet. It depends on the threat model.
My easy solution (Score:2, Insightful)
Re:Are there any good solutions? (Score:5, Insightful)
So use that as the question and Fuckwit as the answer. No problem. It's not as though anybody is going to check to see if the answer is a proper name or anything.
Actually, now that I think about it, there's no reason that there has to be any logical or rational connection between the question and answer, just as long as you remember what it is. I mean, is anybody at your bank going to complain if your answer to the question, "What city did you grow up in?" is, "Judy Garland," and if so, why?
Re:Are there any good solutions? (Score:5, Insightful)
At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'
So use that as the question and Fuckwit as the answer. No problem. It's not as though anybody is going to check to see if the answer is a proper name or anything.
Right away, you see the problem with this approach. The GP wrote "fuckhead", and within 5 seconds of reading this, you already forgot that it was "fuckhead" and wrote "Fuckwit" instead. Not only did you get the word wrong, but you capitalized the "F" when the GP did not.
Actually, now that I think about it, there's no reason that there has to be any logical or rational connection between the question and answer, just as long as you remember what it is. I mean, is anybody at your bank going to complain if your answer to the question, "What city did you grow up in?" is, "Judy Garland," and if so, why?
Your bank isn't going to complain, but your future-self is going to. I got a bank account as a teenager, and one of the security questions was "What is your dream job". 10 years later, they asked me what I had put as my dream job. I completely blanked out. I remember I wanted to make videogames when I was a kid, so I tried "video game programmer", "videogame programmer", "game programmer", "game developer" and they were all rejected. Well, I was also in a rock band for a while, so I tried "rock star", "musician", etc. Nothing worked. In the end, I had to visit the bank in person, which meant taking some hours off of work, which was inconvenient because we were in an overtime crunch period.
And this was for a question that I assumed I had answered earnestly (as opposed to "growing up in Judy Garland"); except it was merely a question that didn't really have a great significance to me, and so my answer likely changed with time. So unless you really have a strong memory associated with "growing up in Judy Garland" (perhaps because of some sort of inside joke), it's probably best not to try to be "clever" with these security questions.
Some woman giving a 401K presentation... (Score:3, Insightful)
Some woman giving a 401K presentation at my work was talking about their website and how they have the question/answer fall back for when you forget your password. She said not to use a question with a simple, possibly well known answer like "What's your favorite color?" I piped up with my answer, "Fish!"
The point is, just because the question is constant, the answer doesn't have to be, it can basically be a second password.
Re:Only broken if e-mail cracked (Score:3, Insightful)
I'd be less worried about your individual email account and more worried about that Exchange installation on the NT4 box in the janitor's closet that your employer uses as a mail server. Having everyone's password reset data is better and often easier than having just yours.
On lower-security sites like this, I tend to send a password reset link with a long (about 40 character) random string as part of the URL that is good for 24 hours, until the password is reset, or the "I did not request this reset" link is followed instead. You'd be surprised how many people get a password sent to them in an email then refuse to change that.
Re:Not just your email, either... (Score:3, Insightful)
Moreover, if there's no extradition treaty then there's no being extradited to there if someone should happen to be tied to their untimely demise or fraudulent financial ruin then slip back to the original country.
Re:Preferences are stable? (Score:5, Insightful)
Truth is, preferences are *not* stable; my tastes in music have changed over the last ten years. I recall answering a "what's your favorite band" question to get my password, and I had to think back and guess who I was a fanboy of at the time I decided what the answer should be.
Adding to that, preferences are not particularly secret. Here's the pepsi challenge: I'm male, I read slashdot. Use that to figure out which eight of these I like, and which eight I dislike:
Video games, Casino gambling, Fashion, Watching figure skating, Reality shows, Skating, Going to libraries, Playing golf, Heavy Metal music, Reading comics, Going to bookstores, Gaming, Cats, Documentaries, Watching golf, Watching bowling.
I haven't chosen any of them to be easy to guess, just some preferences I feel I could remember. Note also that there's [16 choose 8] possible answers, or 16!/8!/8! = 12870. That's less than 14 bits of randomness; choices are highly likely to be non-uniform and non-independent, so expect less than 14 bits.
Here's some of my likes that are "obvious" from my reading Slashdot: [Video games, Going to libraries, Reading comics, Going to bookstores, Gaming, Documentaries]. Now you only have to find the remaining two likes, among ten options. Note that 10 choose 2 is 10!/8!/2! = 45. Say after three wrongs you're locked out for an hour. Ooh, it's going to take a whole fiften hours to crack me and steal all my monies. (OMG monies).
Even if you disagree on what's obvious about my likes, it seems like you could order them from most to least likely and my fellow slashdotters would still be _roughly_ in agreement. Try all combinations of likes and dislikes from most to least likely; there's your cracking algorithm.
(the remaining ones are cats and heavy metal)
Re:Wait a minute... (Score:4, Insightful)
Simple - just because that's what the form has asked for, it doesn't mean that's the data you have to put in.
Mother's maiden name? "Han solo"
First Pet? "Giraffe"
First car? "Slashdot"
I don't think I've *ever* put in the correct answers to those questions. So long as the answers are known to you, and you remember what you put against what, then what does it matter?