What is worse than reusing passwords?
Think your password resets are secure? Think again. The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car!
View full article »
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
There's a nice white paper
There's a nice white paper about exactly this topic, to help organizations design stronger authentication for when users forget their passwords:(psynch.com)
Here are two papers you can
Here are two papers you can read for more details on preference-based authentication:http://www.ravenwhite.com/files/quantifying.pdf (to appear in DIM '08)
http://www.ravenwhite.com/files/chi08JSWY.pdf (appeared in CHI '08)
Cheers,
Markus
http://www.ravenwhite.com/ifo
http://www.ravenwhite.com/iforgotmypassword.html or the i-forgot-my-password link (they go to the same place) are much more informative than the link in the article text. From there you can see the scholarly papers and a layman's explanation (with screenshots) of the site linked in the article text.I am glad people are writing
I am glad people are writing about this :). I have thought for some time now that this is a security issue. Nice article!In a very disappointing
In a very disappointing move, Delta Airlines recently started forcing user to setup these "security questions". I find these questions to be far more of a liability than a convenience.I don't have a problem with
I don't have a problem with answering my mothers maiden name...I just picked a name I like and remember that doesn't mean anything within either side of my family...I completely agree that
I completely agree that security questions are not a good solution to password security. I work for a company called Vidoop and we are working on delivering easy to use, secure password management solutions.Using a password manager makes it easy to use secure passwords. We just released an update for our online password manager plugin that will do form filling for you. Now you can really manage your identity information from one spot. There is a video explaining howour products keep you secure here.
If anyone has any questions you can reach us on twitter as @Vidoop
or on Get Satisfaction.
Cheers,
Kevin
I just use passwords in the
I just use passwords in the answer blanks. My mom's maiden name? XXh45jjt7. Why would I want to give sites the real answers? And what will happen when some site, for "beneficial reasons," aggregates all the answers I've entered across several other sites? I'd rather these security questions didn't describe my entire life thank you.This strategy works until
This strategy works until you forget the answers to these questions, too. Why would you forget the "real" password, but not these "new passwords"?I don’t know what
I don’t know what physiologist gave them those statistics but I know that I don’t like Indian food now. But that’s because I have never really had it, so a week from now when I have some good Indian food I might be the biggest fan. The same can be said about folk music.My social security won’t change any time soon, unless I go into the witness protection program.
The thing is, you are not
The thing is, you are not likely to change ALL your preferences next week, are you? As long as you remain 70% what you used to be, the system will say it is you. Less than that and you are considered an impostor.The problem with social security number is that it is not too secret. A lot of sites already have it, and maybe you do not want more of them to know it. Especially if it is a site that is not a financial service provider.
And other common questions today have the same problem. My CryptoBytes article of last year (http://www.rsa.com/rsalabs/cryptobytes/CryptoBytes-Winter07.pdf) shows how easy it is to get mothers maiden names from public records, for example.
Password reset is not an easy problem, and what people do today really is not all that secure.
Working people often need
Working people often need access to dozens of applications. Single-sign on might be an answer, but if your password is compromised, now the bad guys have access to everything. In the meantime, secure password self reset solutions are available for organizations that need it.I am glad people are writing
I am glad people are writing about this :). I have thought for some time now that this is a security issue. Nice article!You are right. All correctly
You are right. All correctly speak!free downloads
Reusing passwords is bad,
Reusing passwords is bad, especially for logins that could cause you a financial loss should it be compromised.I recommend using PasswordSafe - not only will this free utility keep your current passwords safe, it will also help you have quick access your passwords and also generate new, strong passwords. cash payday loan