Password Resets Worse Than Reusing Old password 420
narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"
Are there any good solutions? (Score:2, Interesting)
'The city you grew up in and your mother's maiden name can be derived from public records.'
I don't know if you can find the city that you grew up in in public records, but I know that in Minnesota, I can get anybody that get your name, date of birth, place of birth, mother's maiden name, father's name from just a few clicks on the 'puter. (for free)
Many folks put other personal details on their blogs or other places online and it doesn't take much to find quite a bit about their personal lives. Add that with just a touch of social engineering, you can get a bunch of data about your target.
Even if the questions are secure, many times the mode of delivery/reminder is not. I don't know how many times I have had to reset/get a password renewed by asking all those stupid questions on a secure web page just to have them resend a password free text to my yahoo account. These aren't important sites to me, but I still wouldn't want anybody snatching this data.
This preference method has flaws too. I change my preferences often. So it may has some good points, it looks rather like a marketing gimmick to me. How long would it take for your likes and dislikes to be sold to the spammers?
Even worse... (Score:5, Interesting)
Even worse is that some of those system are freagin picky too.
You may know the answer. But it may be case sensitive, and fairly picky. "Whats your favorite food". Is it Curry, curry, curry chicken, Curry Chicken, chicken, Chicken?
I got locked out of my bank account because of that BS once (it wasn't a password reset though, it was a 2 step authentication, so it asked that on TOP of the password)
Well, at least's that's a little secure (Score:2, Interesting)
It's pretty hard for a virus to read what's beneath the desk. Not impossible if the virus can control your employer's security cameras, but difficult.
Re:HA! (Score:1, Interesting)
Re:I NEVER use these fields (Score:5, Interesting)
Oh, and make sure you don't confirm (Score:5, Interesting)
Only broken if e-mail cracked (Score:3, Interesting)
Re:pff (Score:3, Interesting)
Seriously, I do reuse passwords -- I use the same pw for low-security sites (message boards, excluding slashdot), but increasingly obscure unique ones for more highly secure sites and uses.
My favorite pw creation scheme is to take a sentence that's easy to remember a la "I grew up in Boston, Mass, 02120," from which I derive IgUiBm)2!2), which is a fairly secure pw -- it's easier to remember a sentence than it is single complex word (at least for me).
Re:Are there any good solutions? (Score:5, Interesting)
The only set of questions that are any good are the set that you can make up yourself. At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'
They never tell you whether spaces count or not. I would like a password reset that involved two network methods: Okay, I change it, but it doesn't count until I send a text message from my phone too, or something like that. Verification via email is good, but off-net authentication would be better. I wouldn't even mind that kind of authentication for access on a regular basis, say if my account is accessed by a pc that either does not have a cookie already or that is not used normally to access my account. Picture or background validation is also good against phishing, but let me upload my own pic? please? No matter how random I make the pic, it will always be something I know, and can update regularly. I mean, what's better than a simple text graphic for background that simply says "fuck W" or some other phrase you will remember?
Security could be much simpler than it is, much better than it is. There seems to be no inspiration to implement it. That second network usage is invaluable. Give me a screen to pick one of several options (configured in preferences) such as cell, landline, SMS message, pager etc. I pick (and provide phone number) and you send the one-time authentication code that is in addition to my normal login credentials. It's easy really.
The same authentication security can be used for password resets. Send a temp password to pre-authorized off-net device or address, or let me set the new temp password via telephone etc. It really isn't that difficult.
very easy fix for this (Score:5, Interesting)
I had to be clubbed on the head to realize this obvious universal truth:
The answer to your "secret question" doesn't have to have anything to do with the stated question.
I got upset at my bank because they only had four questions they'd let me use. Oldest sibling's name. (only child?) First pet. (which one?) Town you grew up in? (which one?) favorite color (don't have one). The really crazy part is these were ALL questions. The bank will randomly challenge me with one of those questions.
After yet another challenge lockout, the rep kindly informed me to just treat the secret questions just like another password field, and put in whatever else you'd like for another password. I could even use the same answer for all the questions.
d'oh. That's easier simpler it looks.
It gets better. The "random" nature of the challenges was bugging me. The rep then said do you want to just make it ALWAYS challenge you? do it! Much better. I need consistency more than the random chance things are simpler. It always sends me looking for my password list when a forum or something I normally visit daily I miss for a few days and it logs me out. Having to enter the password for something every time you use it, and having to use it frequently, is much better for memorizing these things.
Easier to defeat (Score:4, Interesting)
I would think it would be easier to find out my preferences from looking at my Facebook page than it would be to determine my mother's maiden name, best friend's name or what my first car was - you won't find any of that information spelled out clearly on facebook, but you would be able to look at my "Interests" to see what type of music, tv or foods I liked or view my pictures and see plenty of photos of me in art galleries and raves, but none at sporting events, for example.
Plus, as everyone knows, a multiple choice test is much easier to pass by answering randomly than a something where you have to fill in the blanks.
Not just your email, either... (Score:5, Interesting)
My wife's business website was routed to a porn site for three days a couple years ago. They transferred the domain from her account to their own account with another registrar, and pointed it to their own DNS servers.
They accessed her account by, you guessed it, compromising her primary email account using the "secret questions". As it turns out, the perpetrators knew all the right answers, because they were her ex-husband and his apparently-vindictive second wife.
They had unfettered access to her email account for over a year while they plotted this bit of nastiness. Such activity is a felony where we come from, but they moved out of the country before charges could be pressed.
Needless to say, my wife uses a bogus set of "secret" answers that even I don't know. Not that she's not trusting or anything... ;-)
Grocery Cards (Score:1, Interesting)
What do you mean "yet"?
I bet there are a LOT of preferences that could be deduced from the records on your grocery card.
The only good thing is that you do NOT always have to fill out the form. They'll take out a new card, swipe it, then give you a form to send in later. If you don't fill out the form, they don't care. They'll get that information if you ever use your credit card and that shopping card together. Some also let you enter your phone number instead, which once again ties things to your identity (unless you use a specific fake phone number...).
Of course, it's not hard to find loopholes here that still let you maintain some level of privacy. But you have to be careful.
Of course, if you want to be sneaky, keep that blank card unaffiliated with your identity, then offer to let someone else use your shopper card when they're paying by credit card. Should make things interesting.
Personally, I avoid getting the cards entirely if I can't save some privacy. I know that I pay more, but I'm not having my life entered into a database for a $1.25 discount. I'm convinced that people will find ways to systematically abuse this data in the future, and I don't want to find out how they will do that.
Re:I NEVER use these fields (Score:4, Interesting)
I use them all the time. And I fill them out with information of a fictional character.
Say, I'll put my name as Bilbo Baggains (actually using Brado Bompkins or something similar) and my hometown as "The Shire" and "bacon" as my favorite food. This lets me use unique information and track it. So if a site emails me and says "Hey Bilbo, you just won a new car!" I can tell you who exactly sold my email address.
lesser of the three evils (Score:4, Interesting)
Neither password reuse nor password reset questions are as bad as passwords that expire.
Seriously, everybody knows you pick one password then increment the number on the end. To make matters worse, companies will often shove network drives down your throat via the domain policy, that, once your password changes, lock you out of everything. Security through inconvenience of your authorized users. Great!
Re:Are there any good solutions? (Score:4, Interesting)
you can use throw away or unassociated voice mail services like http://www.voicenation.com/ [voicenation.com] if you wanted, or a phone at the library if needed etc. The point is that being able to use POTS lines is important for many people still, and it is off-net. I agree with your sentiment though.
Re:Even worse... (Score:2, Interesting)
That's one of the most irritating things. I use a 12 character password, mixed upper and lower case, with two punctuation symbols, and no dictionary words and it's still insecure because it doesn't have a number?.
I wish there was a password standard everyone would adhere to, as it stands my more than complex enough password is impossible use everywhere because some sites require numbers, others won't allow certain symbols. What's the point in no punctuation I know that it's going into a database that allows punctuation in it's columns.
Other problems (Score:2, Interesting)
Two other related problems:
1) Browsers remembering passwords for you. Because of speed-dial, I don't know my girlfriend's cell number. Same concept applies. Everything works fine until you have to reinstall the OS then you're foosed.
2) Frequent mandatory password changes with strict requirements. Just how many random alpha-numeric sequences can the average person remember? Naturally people write these passwords down somewhere near their computer and voila: Password is next to useless. If someone breaks into the office, chances are good at least one of the employees has a password in their desk.
Re:pff (Score:3, Interesting)
Re:Even worse... (Score:3, Interesting)
Re:Are there any good solutions? (Score:4, Interesting)
Actually, now that I think about it, there's no reason that there has to be any logical or rational connection between the question and answer, just as long as you remember what it is. I mean, is anybody at your bank going to complain if your answer to the question, "What city did you grow up in?" is, "Judy Garland," and if so, why?
Dang. Busted.
This is one of my fave tricks. I have a standard set of answers to match those questions, and as you indicated, they have NOTHING to do with the question. Simple, basic, and with multiple possible answers per question, I just try the first, then second if the first doesn't work, etc....
Re:Even worse... (Score:4, Interesting)
Unless your time is worth more than $2000/hr, better locked and inconvenienced than compromised.
You can't just look at the gain/loss of the two alternatives and decide which is better merely from that. You also have to take into account the probability, and multiply the gain/lost by the probability.
For example, if you make $40/h, and you access your bank account 5 times a month, and it takes you an extra 60 seconds, because of the inconvenience of the added "security" questions, and if you still have a good 30 years of employment left, then over your life, the questions would have cost you $1200, and that's assuming you never get a raise. The security questions are always there, so you have a 100% chance of being inconvenienced each time you try to access your account.
Most people don't get their bank accounts broken into, even without security questions. Let's be pessimistic and imagine 1 out of 1000 people who don't have security questions get hacked. Let's say the security questions are really secure (i.e. not merely "what is your maiden's name") and they actually halve the chance of getting hacked, even though you post a lot of your personal information such as your favorite color, or your dog's name on Facebook. If you only ever keep about $5000 in your bank, then the security question have lowered your risk from 0.1% (i.e. $5) to 0.05% (i.e. $2.50)
So would you rather get $1200, or $2.50?
Re:Password reset? (Score:3, Interesting)
E-mail'ed passwords aren't panacea either. People leave their non-SSL e-mail clients connected all the time on wireless, for instance.
The idea is that you do all of your password reset online. The quality of this system varies widely, and by widely I mean almost all of them are on the "crap" side. So, if you want to get somebody's account, you force three bad logins and answer what the name of their pet dog is, and defeat their 20-digit alphanumeric pasword. I kid, but only half.
There are plenty of researchers who have come up with better systems that are much harder to defeat, but all web-only systems have some weaknesses. I have one site that uses PIN codes via SMS as an alternate channel. Shocker, right, good systems use multiple paths to make compromise harder?
Most implementers only care about security theatre, however, and they don't bear the cost of their shoddy workmanship, so things aren't likely to change.
Re:Even worse... (Score:3, Interesting)
You're assuming the two are mutually exclusive. In most of the examples I've seen, I can both be annoyed/locked out regularly AND have someone else gain access. Even with the recently mandated two-factor systems, many banks still as you to log in using a 4-digit numeric PIN, plus some bit of personal trivia -- better than just a PIN, but probably not as good as a strong password.
Not to mention the shared passwords required on joint accounts at many banks. I trust my partner with my money, but that doesn't mean I want them to impersonate me when logging in -- access control and authentication should be separated. This problem is only complicated by the personal-trivia questions, as you now have to remember someone else's personal trivia and capitalization habits.
Is there some reason the bank couldn't just send me a list of one-time passwords on a wallet-sized card every month (or whenever I exhaust the list)? A one-time password plus my usual account password would be much better security, and easier to use. It would cost almost nothing, it would have no relation to public data or my personal preferences, and there's nothing I need to remember beyond my standard password.
Stupid online quizzes (Score:2, Interesting)
Have you ever noticed that many of the questions those things ask you are the same things that websites use for "secret questions"?
Re:hashapass.com (Score:2, Interesting)
Unless you are hashing to create the passwords and storing them elsewhere...
Usually I use the Firefox password manager to encrypt them with the same master password. Very convenient: since Firefox usually selects the login button, I can just type the master password and press enter twice.
...then you are dependent on that site being available.
Not really, you could always save a local copy of the site. Actually, since hashapass uses SHA1 [wikipedia.org], all you need to do is calculate HMAC-SHA1 for your passwords and parameters, and then encode that to a base64 string.
crap. as promised: repost (Score:2, Interesting)
repost of comment: 'passwords are bad use asymmetric keys' on Tuesday August 12, @08:07AM (#24566319 [slashdot.org])
the copy-paste, then the amendment:
The solution to authentication is something like the IronKey (a hardened USB drive for storing passwords) but with asymmetric crypto.
So you would go to Gmail, gmail would send a challenge that goes to the browser. A library on your browser would send the challenge to the USB device. The USB device would respond by signing the challenge asymmetrically, and that signature would route back through the browser to Gmail. Then you have 1 authenticated session until you destroy it. For sake of convenience imagine the implementation as using PGP -- public key, private key. Gmail has the public key, your USB device has the private key.
This is great since you could read your webmail on a friend's computer, or post Slashdot comments without leaving behind a persistent authentication token (barring a fake logout screen). Or there could be a keylogger on your home computer but it wouldn't be able to scrape persistent passwords and pass those on.
The only reason that humans don't use asymmetric security is that we're too stupid. Otherwise if we wanted high security we would be looking at screens of cyphertext and reversing the one-way function (a^b=c) in our heads. Given that we're too dumb, why not do not put our authenticator on a device that goes on a keychain with our other keys? (And you could make a backup just like with your other keys.)
[...]
-- amendment --
- no I'm not talking about a simple USB drive. That's why the IronKey is dumb since a rooted PC could mirror it.
- the usb device could have all sorts of fancy stuff like LED screen or PIN, i.e. it's not just a flashdrive as I said, it does public-private key crypto -- you can't read all its private data by plugging it in. the point is to get support for asymmetric authentication and allow the free market to provide the level of extra nuisance consumers want.
- 90% don't want this, which is good, happy for them, I'm part of the 10%. So the legacy symmetric password support wouldn't go away and the 10% who want asymmetric passwords on a hardened low complexity (complexity is the enemy of security -- that's why your PC is as leaky as a sieve) device would have that option.
- i like bullet points
- proof-of-concept on a smartphone might be helpful.
Re:Are there any good solutions? (Score:3, Interesting)
I got a bank account as a teenager, and one of the security questions was "What is your dream job". 10 years later, they asked me what I had put as my dream job.
This is what drives me nuts. When most places have a series of questions to select from it's always mothers maiden/first car/etc, which I never want to answer. If they do have something other than those, it's "What's your favorite author/movie/food/band". Well that's helpful, it's whatever book I just read / movie I just saw / what I'm making for dinner / what's going through my headphones. Three weeks later, they're useless.
It's forgetting those types of answers that drove me to using a generic answer for each question. It'd be nice if places started allowing you to type in your own question, or ask extremely obscure questions with answers that shouldn't change.
Re:Wait a minute... (Score:2, Interesting)
What absolutely blows my flippin' mind is the sites that ask you these questions, and hide the answers you typed with asterisks, as though they were a password. This kinda defeats my cut/pasting the exact answers I used into my local encrypted password store. And of course, after 6 months, you try to login in a hurry to pay your car insurance premium (Yes.. I'm talking about YOU, StateFarm Insurance...), you can't remember *precisely* what you entered 6 months ago, case and everything... so you *have* to call into their offshore callcenter, and wait..wait..wait.. This was a signifcant reason I dumped them, not to mention saving nearly $800/yr with another carrier...
Re:Wait a minute... (Score:3, Interesting)
All well and good until the website timed-out when she went to change the password. Suddenly neither the new password nor the old one would work. The only way Yahoo would let her back into her account was if she could answer some of the info she filled in with junk many moons before. She still has no recourse to get back in six months later.
It's all well and good to be paranoid and enter bogus info when you sign up for a free website, but you might want to consider that if you don't store a record of it, you might get locked out of your own account forever.