Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Password Resets Worse Than Reusing Old password

samzenpus posted more than 6 years ago | from the one-password-when-you're-born dept.

Security 420

narramissic writes "We all know well the perils of password reuse. But what about the information used to reset passwords? Many sites use a standard set of questions — your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. And you probably have a standard set of responses, making them easy to remember but not very secure. 'The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car,' says security researcher Markus Jakobsson. But 'password reset does not have to be a weak link,' says Jakobsson. 'Psychologists know that people's preferences are stable — often more so than long term memory. And very few preferences are recorded in public databases.'"

cancel ×

420 comments

Sorry! There are no comments related to the filter you selected.

Are there any good solutions? (2, Interesting)

Anonymous Coward | more than 6 years ago | (#24592647)

'The city you grew up in and your mother's maiden name can be derived from public records.'

I don't know if you can find the city that you grew up in in public records, but I know that in Minnesota, I can get anybody that get your name, date of birth, place of birth, mother's maiden name, father's name from just a few clicks on the 'puter. (for free)

Many folks put other personal details on their blogs or other places online and it doesn't take much to find quite a bit about their personal lives. Add that with just a touch of social engineering, you can get a bunch of data about your target.

Even if the questions are secure, many times the mode of delivery/reminder is not. I don't know how many times I have had to reset/get a password renewed by asking all those stupid questions on a secure web page just to have them resend a password free text to my yahoo account. These aren't important sites to me, but I still wouldn't want anybody snatching this data.

This preference method has flaws too. I change my preferences often. So it may has some good points, it looks rather like a marketing gimmick to me. How long would it take for your likes and dislikes to be sold to the spammers?

Wait a minute... (3, Funny)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24592947)

Yes, it is available through public record. But that isn't enough! What if your siblings like to play pranks on you, or if your mother is trying to get you to move out of your basement?

How do I protect myself from THEM?!

Re:Are there any good solutions? (4, Interesting)

zappepcs (820751) | more than 6 years ago | (#24593053)

The only set of questions that are any good are the set that you can make up yourself. At my bank, they ask what was the drill instructors name if I was in the military... how the hell do I know, all I remember is 'fuckhead'

They never tell you whether spaces count or not. I would like a password reset that involved two network methods: Okay, I change it, but it doesn't count until I send a text message from my phone too, or something like that. Verification via email is good, but off-net authentication would be better. I wouldn't even mind that kind of authentication for access on a regular basis, say if my account is accessed by a pc that either does not have a cookie already or that is not used normally to access my account. Picture or background validation is also good against phishing, but let me upload my own pic? please? No matter how random I make the pic, it will always be something I know, and can update regularly. I mean, what's better than a simple text graphic for background that simply says "fuck W" or some other phrase you will remember?

Security could be much simpler than it is, much better than it is. There seems to be no inspiration to implement it. That second network usage is invaluable. Give me a screen to pick one of several options (configured in preferences) such as cell, landline, SMS message, pager etc. I pick (and provide phone number) and you send the one-time authentication code that is in addition to my normal login credentials. It's easy really.

The same authentication security can be used for password resets. Send a temp password to pre-authorized off-net device or address, or let me set the new temp password via telephone etc. It really isn't that difficult.

Even worse... (5, Interesting)

Shados (741919) | more than 6 years ago | (#24592659)

Even worse is that some of those system are freagin picky too.

You may know the answer. But it may be case sensitive, and fairly picky. "Whats your favorite food". Is it Curry, curry, curry chicken, Curry Chicken, chicken, Chicken?

I got locked out of my bank account because of that BS once (it wasn't a password reset though, it was a 2 step authentication, so it asked that on TOP of the password)

Re:Even worse... (5, Insightful)

Wrath0fb0b (302444) | more than 6 years ago | (#24592773)

Unless your time is worth more than $2000/hr, better locked and inconvenienced than compromised.

Re:Even worse... (1)

Shados (741919) | more than 6 years ago | (#24592897)

Of course, I cannot put non-alphanumeric characters or more than 9 characters in my password.

So its kind of inconsistant.

Re:Even worse... (4, Funny)

liquidpele (663430) | more than 6 years ago | (#24592841)

hahaha... this reminds me of when I forgot my username to my online bank!
I called in, and explained I couldn't remember my username. They asked me what I thought it was, and I told them. Then they said, "that's part of it.. what else might be there?" and I said "wel...." and named a number. They said "that's one of the numbers.. what is the other one?"... So I said "you can't just tell me?" and they said "no, I can only tell you that it's right or wrong" so I named off all 10 numbers until I got the last one right...

Dumb thing was, I remembered afterwards that I only added those numbers because they *required* numbers in their USERNAME... sigh.. stupid banks.

Re:Even worse... (2, Funny)

Tubal-Cain (1289912) | more than 6 years ago | (#24593429)

Let me guesss... 42? 1337? 3.141592653589793helpimtrappedinauniversefactory7108914...?

Re:Even worse... (1)

Beolach (518512) | more than 6 years ago | (#24592991)

You either didn't follow the link [blue-moon-...cation.com] in the blurb, or you're referring to some of the existing systems - in which case I agree w/ you. The way they [blue-moon-...cation.com] did it was a setup step, where you selected 8 likes and 8 dislikes. Then when you need to authenticate, it shuffles those 16 items, and you select whether you like or dislike each item - no spelling required.

Re:Even worse... (1)

Shados (741919) | more than 6 years ago | (#24593449)

I was indeed giving an existing system as a point of reference to compare the article to.

Re:Even worse... (1)

yehooti3 (1310213) | more than 6 years ago | (#24593199)

At work we have so many passwords for so many company sites that I have to write them down because they keep getting reset. No security here because the annoyance of this has caused me to post the current ones near my monitor. I'll cross out the old one and write in the new one. Sure, I scramble it a bit, but the fact that I have to resort to that kind of obfuscation and keep them near is troubling. Better, I think, that I have a strong password that can stand for a year or more, and that I can keep in my head.

Re:Even worse... (1)

fishbowl (7759) | more than 6 years ago | (#24593253)

What musical instrument do you play?

I am equally proficient on Piano, Guitar, and Flute. I have university degrees based on two of those. It's actually hard to remember what I answered, and it kept coming up as a question on some website.

What is your mother's maiden name?

This one is weak in both gender-specific and age-specific ways, as well as being culturally biased toward that segment where women "marry" and "change their names."

Re:Even worse... (0)

Anonymous Coward | more than 6 years ago | (#24593291)

offtopic rant about stupid bank (in)security ahead. my bank told me i the option to pick a 6 digit code for my account for telephone banking; I gave them a number and they told me it was no good because it had repeated digits. I told them not to bother with it and I'd just ID myself using personal details and the bank told me that was fine but the system needed a number so they would set it to 123456. so a 6 digit number with a single repetition is "unsafe", but the most obvious fucking choice that an idiot would choose is ok?

and dont get me started on banks requiring codes to be a fixed length. one bank i no longer deal with would only allow a 3 digit phone pin, and a 6 character online banking number. 3 digits isnt long enough to be memorable and 6 digits is to short to use one of my memorised gibberish strong passwords. it's like their it departments are populated by morons

Re:Even worse... (1)

RazzleDazzle (442937) | more than 6 years ago | (#24593377)

you could just always make sure to use the same case regardless of it being a proper noun or not. for example if the question is "What was the name of the city in which you went to first grade?" and the city is let's say "St. Petersburg" you would just always use "st petersburg" using all lower case and omitting any punctuation. Easy to recall as there is never any variation. Maybe it reduces security but do you want to actually use the service? If not, cancel your online account.

KISS - keep it simple [stupid|silly]

HA! (5, Funny)

Dice (109560) | more than 6 years ago | (#24592661)

Fooled them. My first car was a Chevy!

Re:HA! (5, Funny)

CaptainPatent (1087643) | more than 6 years ago | (#24592879)

Fooled them. My first car was a Chevy!

*database updated*

Re:HA! (2, Interesting)

RancidMilk (872628) | more than 6 years ago | (#24592881)

Too bad they generally get three guesses.

Re:HA! (1)

JackieBrown (987087) | more than 6 years ago | (#24592907)

Now which bank do you use?

Well (1, Insightful)

Anonymous Coward | more than 6 years ago | (#24592673)

I came up with a standard set of bullshit 10 years ago. I use it to this day. By the way, my first pet was named cfeadr3.

Re:Well (1)

RulerOf (975607) | more than 6 years ago | (#24593389)

It's worse that many places frequently ask you to answer questions that may not apply to you (e.g. what is your spouse's name) or ones with changing answers (your favorite song/movie).

My uncle mentioned that he knew someone who picks a word and answers them all the same way:

What is your mother's maiden name?

blue

What was the name of the high school you graduated from?

blue

What is your favorite color?

blue

...ad infinitum.

Preferences are stable? (5, Funny)

CorporateSuit (1319461) | more than 6 years ago | (#24592679)

Bridgekeeper: Stop. What is your name?
Galahad: Sir Galahad of Camelot.
Bridgekeeper: What is your quest?
Galahad: I seek the Grail.
Bridgekeeper: What is your favourite colour?
Galahad: Blue. No, yel...

pff (1)

Kingrames (858416) | more than 6 years ago | (#24592681)

In most cases being able to reset password with a question like "what's your mother's maiden name?" is worse than making your password "12345".

Re:pff (4, Insightful)

OECD (639690) | more than 6 years ago | (#24592769)

Especially for those who have their mother's maiden name as either a middle name or part of a hyphenated last name.

Re:pff (5, Funny)

jgtg32a (1173373) | more than 6 years ago | (#24592779)

My mother's maiden name was 12345

Re:pff (2, Funny)

Anonymous Coward | more than 6 years ago | (#24592873)

...you insensitive clod?

Re:pff (2, Interesting)

iocat (572367) | more than 6 years ago | (#24593021)

Mine was "Password." It's horrible.

Seriously, I do reuse passwords -- I use the same pw for low-security sites (message boards, excluding slashdot), but increasingly obscure unique ones for more highly secure sites and uses.

My favorite pw creation scheme is to take a sentence that's easy to remember a la "I grew up in Boston, Mass, 02120," from which I derive IgUiBm)2!2), which is a fairly secure pw -- it's easier to remember a sentence than it is single complex word (at least for me).

Re:pff (2, Funny)

punterjoe (743063) | more than 6 years ago | (#24593255)

I'm with you. As far as these security bots are concerned, my mother's maiden name was sodoff. I imagine people just think she was Russian & not that I'm cursing at the stupid question. :D

Re:pff (1)

CaptainPatent (1087643) | more than 6 years ago | (#24593273)

My mother's maiden name was 12345

ahh, then you must be C3PO!

Re:pff (0)

Anonymous Coward | more than 6 years ago | (#24593405)

That's amazing! I bet she has a face like my luggage though.

Re:pff (1)

Reivec (607341) | more than 6 years ago | (#24593443)

I actually always use a standard response to these questions that has nothing to do with the question at all. It is basically just another password that I use as a backup if I can't recall the real one. I have never had an issue where I couldn't recall my password. However my bank's website likes to randomly ask me security questions when I login, which is about the only time I have had to use it.

Re:pff (0)

Anonymous Coward | more than 6 years ago | (#24592893)

Hey! That's the same combination on my luggage!

Re:pff (1)

sconeu (64226) | more than 6 years ago | (#24593009)

My mother's maiden name was #$@DD$#$21

Re:pff (1, Funny)

Anonymous Coward | more than 6 years ago | (#24593375)

Are you sure that wasn't just something she said shortly after getting married?

Re:pff (0)

Anonymous Coward | more than 6 years ago | (#24593069)

Which is why you answer the question of "What is your mother's maiden name?" with "12345"

Don't use the expected answers. As long as YOU know what answer you use to that kind of question its ok not to use the truth.

Re:pff (1)

kesuki (321456) | more than 6 years ago | (#24593077)

unless you lie, and use a fictitious name like 'frodo baggins' i noticed years ago that the 'security' question was inherently insecure, so i started using false answers only i would remember. try to steal my account by researching my first pets name, you won't get it right hah! this can bite people who can't remember what they used though, i like that some sites now have 'put in your own question' now. makes it easier.

Re:pff (0)

Anonymous Coward | more than 6 years ago | (#24593189)

Best place to get wings?
Purple Lawnmowers
Very Secure

Re:pff (1)

John Hasler (414242) | more than 6 years ago | (#24593197)

> ...this can bite people who can't remember what they used though...

There is a simple solution to that" Write it down (I know: heresy!)

Re:pff (2, Insightful)

cortesoft (1150075) | more than 6 years ago | (#24593271)

If you are able to remember random fake answers to questions, then you probably aren't going to be the type who needs to reset your password. Resetting your password is only something that matters if you have trouble remembering random secure things anyway. You basically just have two passwords now, either of which can open your account (which may or may not be all you are looking for).

Re:pff (0)

Anonymous Coward | more than 6 years ago | (#24593279)

Frodo Baggins is fictitious! OMG!

Re:pff (1)

fishbowl (7759) | more than 6 years ago | (#24593285)

>In most cases being able to reset password with a question like "what's your mother's maiden name?" is worse than making your password "12345".

For a really large number of people, the mother's maiden name IS their name.

Re:pff (2, Funny)

BigDaddyOttawa (948206) | more than 6 years ago | (#24593361)

Especially if your mom is the one trying to "hack" in to your bank account.

Those are all dumb and easy cracks (3, Funny)

Average_Joe_Sixpack (534373) | more than 6 years ago | (#24592685)

I just use the current month and then the year.

123 (0)

Anonymous Coward | more than 6 years ago | (#24592695)

This is what usually happens [dilbert.com]

Although some people I work with write all of their passwords down and keep it under their keyboard or in their desk.

Well, at least's that's a little secure (2, Interesting)

davidwr (791652) | more than 6 years ago | (#24592853)

It's pretty hard for a virus to read what's beneath the desk. Not impossible if the virus can control your employer's security cameras, but difficult.

Re:Well, at least's that's a little secure (3, Funny)

LighterShadeOfBlack (1011407) | more than 6 years ago | (#24592949)

It's pretty hard for a virus to read what's beneath the desk. Not impossible if the virus can control your employer's security cameras, but difficult.

If they're under your desk I don't think those are security cameras.

My password (0)

Anonymous Coward | more than 6 years ago | (#24592699)

Only changes 1 character everytime.

1LuvMyDog!
1LuvMyDog@
1LuvMyDog#...

Re:My password (1)

JackieBrown (987087) | more than 6 years ago | (#24592961)

That how I am at work. I used to have intricate passwords but coming up with a new one every 90 days got tedious real fast.

And Lord help me if I changed my password on a Friday because by Monday I would have no idea what my clever password was.

Re:My password (1)

tchuladdiass (174342) | more than 6 years ago | (#24593211)

Just write your clever password on your whiteboard. Then erase it. You should still be able to make it out from the residue left behind, at least for a few days until it is committed to memory.

real information (1)

Iamthecheese (1264298) | more than 6 years ago | (#24592705)

People actually enter their real information? I just put a password that I know well.

Re:real information (1)

skiingyac (262641) | more than 6 years ago | (#24592989)

My mother's maiden name is Smith, of all things. That is certainly NOT what I ever put down on anything since I too realized long ago this wasn't secure. But, the design of those questions definitely does encourage you to pick the simplest question and the simplest answer, which is what the vast majority of people will (continue to) do.

I NEVER use these fields (5, Insightful)

maraist (68387) | more than 6 years ago | (#24592727)

For every web site that asks for a password I randomly generate one.

If they have the audacity to ask for personal information, I randomly generate that data too. What frustrates me is that now I have to store a series of name-value pairs - because some of these web sites insist on randomly asking me to confirm my identity on occasion with these profile questions.

What frustrates me even more is that most people are stupid enough to give random / anonymous web sites such personal info.. What if one of the questions was 'what is your VIN? What's your SSN'??? Would people ignorantly post that data too??

If the website requires a credit card, use this information for credentialling. If it's a community web site, use email responses - if the email is hijacked, the owner should be able to see the flood of change-password emails. I never understood the value-add of such personal-info bio-metric questions.

My bank uses a PIN in additional to the login. This actually makes sense to me - as PINs are generally easier to remember than my 10 digits random char-lists, but moreover it's at least honest about the purpose of these extra fields - and doesn't dupe people into leaving their pants down when the DB gets hacked one day.

Re:I NEVER use these fields (4, Funny)

LighterShadeOfBlack (1011407) | more than 6 years ago | (#24592821)

My bank uses a PIN in additional to the login. This actually makes sense to me - as PINs are generally easier to remember than my 10 digits random char-lists, but moreover it's at least honest about the purpose of these extra fields - and doesn't dupe people into leaving their pants down when the DB gets hacked one day.

So you think someone is going to hack the login database for a bank and is going to be focusing on the fact that your first pet's name was Mittens?

Re:I NEVER use these fields (1)

failedlogic (627314) | more than 6 years ago | (#24593263)

Forget that. There are many rewards points cards (frequentl flyer, grocery stores) etc. that ask for your mother's maiden name. I always fill out a fake one. If my card gets lots, it better to lose the few points I get than to give them right info I remember.

Re:I NEVER use these fields (1)

base3 (539820) | more than 6 years ago | (#24593337)

If the fact that his first pet's name was Mittens is potentially the key to a bunch of other sets of credentials is understood by the perp, then yes. These are metapasswords that are commonly used across scads of websites and would be very useful information for someone wishing to use a usurped identity.

Re:I NEVER use these fields (4, Interesting)

strabes (1075839) | more than 6 years ago | (#24592913)

Just a question: How do you keep track of all the different passwords of all the different websites which you sign into?

Re:I NEVER use these fields (2, Informative)

ednopantz (467288) | more than 6 years ago | (#24593045)

How do you keep track of all the different passwords of all the different websites which you sign into?

Use keypass [keepass.info] or another key storage system.

Now, if it had an automagical firefox plugin that would let me create a strong password for a site and store it in my key database, that would rock.

Re:I NEVER use these fields (4, Funny)

jcgf (688310) | more than 6 years ago | (#24593071)

He uses post-it notes stuck to his monitor.

Re:I NEVER use these fields (1)

strabes (1075839) | more than 6 years ago | (#24593385)

Come on, let's get real. That won't stop the NSA.

Re:I NEVER use these fields (0)

Anonymous Coward | more than 6 years ago | (#24593171)

Keepass [keepass.info]

Re:I NEVER use these fields (1)

slart42 (694765) | more than 6 years ago | (#24593209)

For every web site that asks for a password I randomly generate one.

If they have the audacity to ask for personal information, I randomly generate that data too.

Reminds me of the Apple Developer Connection website. When i signed up I just typed "this is stupid" into all the fields because I didn't feel like giving them any personal information (including street address, etc). This came back to embarass me later, though, as Apple at one point called me to give me a free ticket to WWDC, but they asked me to look into my ADC account, because some information there "didn't seem to be quite correct" :)

Re:I NEVER use these fields (3, Interesting)

Prien715 (251944) | more than 6 years ago | (#24593315)

I use them all the time. And I fill them out with information of a fictional character.

Say, I'll put my name as Bilbo Baggains (actually using Brado Bompkins or something similar) and my hometown as "The Shire" and "bacon" as my favorite food. This lets me use unique information and track it. So if a site emails me and says "Hey Bilbo, you just won a new car!" I can tell you who exactly sold my email address.

Password reminder hints problems (3, Funny)

hack slash (1064002) | more than 6 years ago | (#24592777)

I recently bought a domain+hosting space from a well known site, one that I don't ever recall buying domains from in the past (even searched through years worth of emails - nothing), and when signing up for a new account I was unexpectedly greeted with "that email address is already in use".

So I did went to the password retreival page, entered in my email address and it asked me the stupidest hint question (for me) ever: "What was the make of your first car?", it didn't make sense at all because I still haven't bought my first car!

'Other' Questions (3, Funny)

Zekasu (1059298) | more than 6 years ago | (#24592793)

Many websites allow you to use your own question, rather than a preset one. "What is the movie you'd most relate to your high school career?"

"What was the name of craziest teacher you had?"

Better yet, "On Tuesday mornings, which newspaper did you always use to cut out little robot people?"

Re:'Other' Questions (5, Funny)

quintessentialk (926161) | more than 6 years ago | (#24592911)

Or, "Where did you bury the body of your eleventh victim?"

Re:'Other' Questions (0)

Anonymous Coward | more than 6 years ago | (#24592919)

I tried to use this feature on one site, and it didn't work. For some reason it refused to accept "Paper, Scissors, or Rock?" as a question. (My answer would have been TnT.)

Re:'Other' Questions (0)

Anonymous Coward | more than 6 years ago | (#24593095)

Even easier, make the question be something like what was the password for the sunos 4.1.3 box in your first summer job?

Nobody would have any clue. It should be a strong password and hopefully something you'd remember.

What I really hate are the systems that require 'strong' passwords with strange rules. Your password must contain all lower case letters, begin with a letter, contain at least 1 number but not at the end and one of the following symbols ^()=-

WTF, why can't I use mixed case any symbols I want and put them wherever I want in the password? It was some utility company and every time I logged into their site I had to reset the password. Of the 32 commonly typed non-alphanumeric symbols, their limited set was just too limited for me to remember.

Wish I could bypass that step... (1)

st33med (1318589) | more than 6 years ago | (#24592803)

Unlike most people, I have an excellent memory of what passwords I use. I often forget what password I set, but, if I input the wrong one, I try another one until I get in...

Seriously, I sometimes put in for a secret answer something that does not correspond with the question being asked. :)

Too bad this guy wasn't you ... (2, Funny)

Krishnoid (984597) | more than 6 years ago | (#24592933)

Exactly how excellent [thedailywtf.com] is your memory, then? This kind of corner-case made me reconsider best-practices password security.

So true (0)

Anonymous Coward | more than 6 years ago | (#24592865)

I hate when sites *require* one of these stupid "security" (hah!) questions. It's bullshit. So what I do is that I enter one of a small set of (strong) passwords into that space that I don't use anywhere else, so that on the very improbable chance I don't remember a password for a site, I can use one of those. Or if I don't care enough, I'll just use the same actual password, particularly if it's something not important.

No duh (1, Informative)

Anonymous Coward | more than 6 years ago | (#24592891)

No duh. Who in their right mind thought having simple secret questions, to reset passwords, as a good idea? Especially when MySpace and the like contain a bunch of information people willingly put up online.

Birthdates aren't secure for password resets since people aren't afraid of letting others know when their birthday is. Like, "Hey, it's my 21st birthday today!" on their social networking blog.

Zip codes aren't secure for password resets either. It's not too hard to find out where someone lives, with a bit of investigating.

Secret question answers might be listed on one's social networking profile.

Just lie! (5, Insightful)

xanadu113 (657977) | more than 6 years ago | (#24592905)

Just lie on these questions! Put in answers you would know, but aren't factually correct.. =)

Simple solution..

generally used for low-security applications (5, Insightful)

bcrowell (177657) | more than 6 years ago | (#24592931)

These things are generally used for very low-security applications. My bank doesn't use them, stock trading sites don't use them, etc. And in many cases it would still be hard for a bad guy to take over your account this way. For instance, they may send you an email every time the password recovery feature is used on your account. A well designed site won't actually let you recover your old password, it will generate a link with a hash code in it that allows you to pick a new one; so the bad guy can't find out what your password used to be (which would be especially scary if you were in the habit of using the same password for lots of things), and if it's an account that you use frequently, you'll also find out quickly that something is wrong, because your password will no longer work. And I would guess they also have a limited number of times you can guess your dog's name wrong. But okay, suppose someone manages to get access to my amazon.com account this way. Is it really that horrible? I suppose they can set up a new shipping address, order some CDs, and have them sent there. So I just turn around and call my credit card company, and they reverse all the charges.

The typical slashdot user is really into using high-tech toys in sophisticated ways, but for the average person there really are severe usability issues with maintaining login and password combos, and these "what was your first pet's name" questions are a a not entirely unreasonable attempt to make things easier for that type of user. My mother in law visited us recently for a few weeks. She's had a history of dysfunctional relationships with her Windows machines (viruses, etc.), so I got her started on Linux. Her main application is that she plays an online scrabble game (not the famous facebook one). She'd been unable to use her virus-infested computer for a long time, so it had been a long time since she'd been able to play scrabble. I got her set up on a spare linux box in the family room, and the very first thing she wanted to do was get scrabble working. Well, she just couldn't remember her username and password for this server. Tried a bunch of things, no luck. She was bummed out, too, because she'd had a high rating, and creating a new account with a zero rating meant it would be hard for her to get games. It would have been a lot better, from her point of view, if she'd been able to tell them her dog's name and recover her password. Who the heck cares if it leaves her vulnerable to having her scrabble account taken over by evil Russian hackers with handlebar moustaches?

All of this might seem ridiculously easy to handle to us, but I could easily imagine myself having the same problem 10-15 years ago. It's not obvious to her how her email is nested inside her yahoo account, her yahoo account is inside her browser, and her browser is inside her OS. It's not obvious to her that the username and password she uses on yahoo are different from the ones she uses to log in to her linux account.

FTA (1)

Sir Holo (531007) | more than 6 years ago | (#24592937)

"And very few preferences are recorded in public databases.'"

Yet.

Grocery Cards (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24593219)

What do you mean "yet"?

I bet there are a LOT of preferences that could be deduced from the records on your grocery card.

The only good thing is that you do NOT always have to fill out the form. They'll take out a new card, swipe it, then give you a form to send in later. If you don't fill out the form, they don't care. They'll get that information if you ever use your credit card and that shopping card together. Some also let you enter your phone number instead, which once again ties things to your identity (unless you use a specific fake phone number...).

Of course, it's not hard to find loopholes here that still let you maintain some level of privacy. But you have to be careful.

Of course, if you want to be sneaky, keep that blank card unaffiliated with your identity, then offer to let someone else use your shopper card when they're paying by credit card. Should make things interesting.

Personally, I avoid getting the cards entirely if I can't save some privacy. I know that I pay more, but I'm not having my life entered into a database for a $1.25 discount. I'm convinced that people will find ways to systematically abuse this data in the future, and I don't want to find out how they will do that.

APML (1)

miruku (642921) | more than 6 years ago | (#24592939)

"And very few preferences are recorded in public databases"

Not for long if APML [apml.org] usage kicks off..

Oh, and make sure you don't confirm (5, Interesting)

Itninja (937614) | more than 6 years ago | (#24592951)

I was surprised recently when my back asked for all this type of information (i.e. childhood friend, first school), but didn't have me confirm a single field. There was just a single text field for each question. God help me if I fat-fingered one of the answers. Was my first school All City Elementary...or All City Elemntary? OH CARP!

A combination of problems (1)

Opportunist (166417) | more than 6 years ago | (#24593003)

The first and obvious is that those "reminder" pages usually draw from a limited set of possible answers. What's your favorite color? If you're a man, you know about 6 ("peach" is no color, it's a fruit!). So, and this gets us to the second problem, keep trying, they usually also don't have limited amounts of attempts. Yellow, blue, green, red, black, white... you're prone to stumble upon the right one eventually.

The worst reminder question I ever had was "what's the last 4 digits on your credit card?" Besides giving away CC info, you can't even dodge it by entering a bogus answer to throw crackers off (because my favorite color could well be "toast"), you HAVE to choose one of 10,000 possible answers.

Use consistent fakes (1)

oldspewey (1303305) | more than 6 years ago | (#24593011)

I have a fake mother's maiden name that I use for online forms (as well as offline forms where I feel the organization in question has no fucking need to know the correct answer). I have a fake first car answer, a fake best friend answer, and a fake city where I was born. I use the same ones consistently for all my password reset questions.

Re:Use consistent fakes (1)

AJNeufeld (835529) | more than 6 years ago | (#24593075)

So once someone has cracked (or an unscrupulous website administrator has stolen) one website's database where your fakes have been stored, they could attempt a breakin of other websites you visit.

Re:Use consistent fakes (2, Insightful)

oldspewey (1303305) | more than 6 years ago | (#24593113)

I suppose they could, but they'd be able to do the same thing if I used consistent "real" information in those fields too ... and at the end of the day I guess I just have to hope that I'm simply not that interesting of a target.

Only broken if e-mail cracked (3, Interesting)

AJNeufeld (835529) | more than 6 years ago | (#24593015)

Is this really that much of a security issue? The new password is sent to your registered e-mail address, and only if you log in with the new password will your old password be changed. Otherwise, your password remains unchanged. So, unless the e-mail is sniffed in transit, or your e-mail account has been hacked, this shouldn't be an issue.

Re:Only broken if e-mail cracked (1)

koalapeck (1137045) | more than 6 years ago | (#24593185)

I've witnessed more than a few websites where once you successfully answer the security question they reset the login directly in the browser, freeing you to choose a new password then and there. This is where I'd be concerned.

my first car was (1)

FudRucker (866063) | more than 6 years ago | (#24593033)

a 1969 Pontiac GTO, wait, you did not read that!

Re:my first car was (1)

roc97007 (608802) | more than 6 years ago | (#24593093)

Cool. Wanna sell it?

American Express... (4, Informative)

roc97007 (608802) | more than 6 years ago | (#24593049)

...wouldn't activate my card until I created a pin. They wanted me to use the month and day of my mother's birthday. I tried random digits, but -- fer chrissake -- the menu system would only take digits that were valid dates.

Yeah, that's what I want to use for a card with no spending limit, a datum easily discovered through public records.

I finally got hold of a real person, and he insisted I use my mother's birthday. I insisted that I would not. He finally had to get permission from a supervisor for me to use a random four digit string.

I understand, insisting on an easily remembered string probably reduces the number of support calls to reset pins, but at what cost?

very easy fix for this (4, Interesting)

v1 (525388) | more than 6 years ago | (#24593059)

I had to be clubbed on the head to realize this obvious universal truth:

The answer to your "secret question" doesn't have to have anything to do with the stated question.

I got upset at my bank because they only had four questions they'd let me use. Oldest sibling's name. (only child?) First pet. (which one?) Town you grew up in? (which one?) favorite color (don't have one). The really crazy part is these were ALL questions. The bank will randomly challenge me with one of those questions.

After yet another challenge lockout, the rep kindly informed me to just treat the secret questions just like another password field, and put in whatever else you'd like for another password. I could even use the same answer for all the questions.

d'oh. That's easier simpler it looks.

It gets better. The "random" nature of the challenges was bugging me. The rep then said do you want to just make it ALWAYS challenge you? do it! Much better. I need consistency more than the random chance things are simpler. It always sends me looking for my password list when a forum or something I normally visit daily I miss for a few days and it logs me out. Having to enter the password for something every time you use it, and having to use it frequently, is much better for memorizing these things.

My solution (0)

Anonymous Coward | more than 6 years ago | (#24593061)

My solution is to append a 3 digit number I memorized to my answer. For example ford657 or fido657.

Easier to defeat (3, Interesting)

MasterOfDisaster (248401) | more than 6 years ago | (#24593085)

I would think it would be easier to find out my preferences from looking at my Facebook page than it would be to determine my mother's maiden name, best friend's name or what my first car was - you won't find any of that information spelled out clearly on facebook, but you would be able to look at my "Interests" to see what type of music, tv or foods I liked or view my pictures and see plenty of photos of me in art galleries and raves, but none at sporting events, for example.

Plus, as everyone knows, a multiple choice test is much easier to pass by answering randomly than a something where you have to fill in the blanks.

Password reset? (1)

jc42 (318812) | more than 6 years ago | (#24593087)

So what's the definition of "password reset"? I'd started off assuming that it refers to one of those "I forgot my password" thingies. But the few times I've used one of those (usually helping a friend get a new password, actually), the result has always been for the site to email a new password that was random and unpronouncable, plus a link to change the password.

Are there sites that actually set your password to one of these personal-info strings? If so, that's incredibly demented behavior on their part. I'd think seriously of not using that site any more, if possible.

But I was disappointed that TFA didn't seem to define the "password reset" phrase. So I have to admit that I don't know what he's talking about. And I'm curious, because I've found that stories on new security problems have this way of quickly becoming relevant.

Lie (4, Informative)

John Hasler (414242) | more than 6 years ago | (#24593149)

> The city you grew up in and your mother's maiden name can be derived from public records.

I grew up in Wei9Iequ. My mother's maiden name was ga4EeliY.

Or, if you insist on something easier to remember, make it Tanelorn and Gloriana.

Not just your email, either... (5, Interesting)

EWillieL (15339) | more than 6 years ago | (#24593179)

My wife's business website was routed to a porn site for three days a couple years ago. They transferred the domain from her account to their own account with another registrar, and pointed it to their own DNS servers.

They accessed her account by, you guessed it, compromising her primary email account using the "secret questions". As it turns out, the perpetrators knew all the right answers, because they were her ex-husband and his apparently-vindictive second wife.

They had unfettered access to her email account for over a year while they plotted this bit of nastiness. Such activity is a felony where we come from, but they moved out of the country before charges could be pressed.

Needless to say, my wife uses a bogus set of "secret" answers that even I don't know. Not that she's not trusting or anything... ;-)

Re:Not just your email, either... (0)

Anonymous Coward | more than 6 years ago | (#24593341)

>Such activity is a felony where we come from, but they moved out of the country before charges could be pressed.

Since they went to a country without an extradition treaty, the food and water situation is punishment enough.

Alastair Rankine posted an excellent analysis (3, Informative)

toby (759) | more than 6 years ago | (#24593305)

See How NOT to use 'secret questions' [girtby.net] about the bad authentication design of an Australian government web site.

Duh (0)

Anonymous Coward | more than 6 years ago | (#24593317)

I've always answered question1 with the answer to question2 in order to throw things off. I usually don't forget my passwords, so it never really mattered to me. however, in the last year or so, one of my credit card's website started asking me those questions even though i had entered my password...really pisses me off.

You mean (1)

rossdee (243626) | more than 6 years ago | (#24593319)

..that people might actually give an honest answer to questions like 'mothers maiden name?'

And what about 'first pet?' - I never had a PET as such, my first computer was a TRS80
I did have a C=64 which was a direct descendant of the Personal Electrouic Transactor

Those questions are just prompts, you are't expected to provide a answer that is correct, just the same as what you originally typed in.

And then they send you the NEW password to your Email address. If you used a SECURE email account in the first place, rather that a hotmail, yahoo, or gmail address, there should not be a problem.

Changing the 'Truth' (1)

gznork26 (1195943) | more than 6 years ago | (#24593331)

In order to gain access to your Bank of America account over the phone, they ask some security questions to try to confirm that it's you. One of these questions is which branch you opened your account at. Unfortunately, when B of A bought the bank I opened my account at, they changed the record of where it was opened. So now, they expect me to provide a false answer to answer their question 'correctly'. I pointed out to them that if they expect me to lie to them here, there's no reason to expect me to tell the truth anywhere else. Nobody there seems to understand that the precedent it sets would destroy their trust relationship with customers, and I spoke to everyone up to the office of the President.

-------
I write political short stories at http://klurgsheld.wordpress.com/ [wordpress.com]

I accidently stole a guys gmail account (2, Funny)

ozphx (1061292) | more than 6 years ago | (#24593393)

Couldnt login! Was trying to login to the wrong username (who shared my name), and the guys secret question was "lager?". Of course the answer was "yes". :/

That probably makes me guilty of all kinds of nasty shit by accident :P

Yes, my preferences are stable (2, Informative)

tauntalum (221678) | more than 6 years ago | (#24593431)

And they're set to disable scripting.

lesser of the three evils (3, Interesting)

Thaelon (250687) | more than 6 years ago | (#24593447)

Neither password reuse nor password reset questions are as bad as passwords that expire.

Seriously, everybody knows you pick one password then increment the number on the end. To make matters worse, companies will often shove network drives down your throat via the domain policy, that, once your password changes, lock you out of everything. Security through inconvenience of your authorized users. Great!

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?