Think your password resets are secure? Think again. The city you grew up in and your mother's maiden name can be derived from public records. Facebook might unwittingly tell the name of your best friend. And, until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car!
http://www.ravenwhite.com/iforgotmypassword.html or the i-forgot-my-password link (they go to the same place) are much more informative than the link in the article text. From there you can see the scholarly papers and a layman's explanation (with screenshots) of the site linked in the article text.
by Anonymous (not verified) on 8/14/08 at 7:14 am |reply
I am glad people are writing
I am glad people are writing about this :). I have thought for some time now that this is a security issue. Nice article!
by jintoreedwine (not verified) on 8/14/08 at 8:48 am |reply
In a very disappointing
In a very disappointing move, Delta Airlines recently started forcing user to setup these "security questions". I find these questions to be far more of a liability than a convenience.
by Will Norris (not verified) on 8/14/08 at 11:17 am |reply
I don't have a problem with
I don't have a problem with answering my mothers maiden name...I just picked a name I like and remember that doesn't mean anything within either side of my family...
by Warren A (not verified) on 8/14/08 at 5:26 pm |reply
I completely agree that
I completely agree that security questions are not a good solution to password security. I work for a company called Vidoop and we are working on delivering easy to use, secure password management solutions.
Using a password manager makes it easy to use secure passwords. We just released an update for our online password manager plugin that will do form filling for you. Now you can really manage your identity information from one spot. There is a video explaining howour products keep you secure here.
by Kevin Fox (not verified) on 8/14/08 at 6:06 pm |reply
I just use passwords in the
I just use passwords in the answer blanks. My mom's maiden name? XXh45jjt7. Why would I want to give sites the real answers? And what will happen when some site, for "beneficial reasons," aggregates all the answers I've entered across several other sites? I'd rather these security questions didn't describe my entire life thank you.
by Anonymous (not verified) on 8/14/08 at 6:10 pm |reply
This strategy works until
This strategy works until you forget the answers to these questions, too. Why would you forget the "real" password, but not these "new passwords"?
I don’t know what physiologist gave them those statistics but I know that I don’t like Indian food now. But that’s because I have never really had it, so a week from now when I have some good Indian food I might be the biggest fan. The same can be said about folk music.
My social security won’t change any time soon, unless I go into the witness protection program.
by Anonymous (not verified) on 8/15/08 at 12:32 pm |reply
The thing is, you are not
The thing is, you are not likely to change ALL your preferences next week, are you? As long as you remain 70% what you used to be, the system will say it is you. Less than that and you are considered an impostor.
The problem with social security number is that it is not too secret. A lot of sites already have it, and maybe you do not want more of them to know it. Especially if it is a site that is not a financial service provider.
And other common questions today have the same problem. My CryptoBytes article of last year (http://www.rsa.com/rsalabs/cryptobytes/CryptoBytes-Winter07.pdf) shows how easy it is to get mothers maiden names from public records, for example.
Password reset is not an easy problem, and what people do today really is not all that secure.
Working people often need access to dozens of applications. Single-sign on might be an answer, but if your password is compromised, now the bad guys have access to everything. In the meantime, secure password self reset solutions are available for organizations that need it.
by Bob (not verified) on 8/28/08 at 6:10 pm |reply
I am glad people are writing
I am glad people are writing about this :). I have thought for some time now that this is a security issue. Nice article!
by Anonymous (not verified) on 1/19/09 at 11:11 am |reply
by free downloads man (not verified) on 4/2/09 at 5:00 am |reply
Reusing passwords is bad,
Reusing passwords is bad, especially for logins that could cause you a financial loss should it be compromised.
I recommend using PasswordSafe - not only will this free utility keep your current passwords safe, it will also help you have quick access your passwords and also generate new, strong passwords. cash payday loan
by Helena Chris (not verified) on 8/4/09 at 5:04 pm |reply
Sidekick: The Good News & the Bad News Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Surviving Windows is easier than you think… MKS offers the power of an integrated all-in-one environment and provides you with the Power of UNIX on Windows Learn More
Brought to you by:
Free books
We have 5 copies of these two new books to give to some lucky readers. The deadline for entries is November 30, 2009.
AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.
In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases
built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC
technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability
and performance at a fraction of traditional cost.
On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.
jfruh
pasmith
Esther Schindler
mikelgan
David Strom
sjvn
Sandra Henry-Stocker
Quick, practical advice for IT pros. Made fresh daily.
There's a nice white paper
There's a nice white paper about exactly this topic, to help organizations design stronger authentication for when users forget their passwords:(psynch.com)
Here are two papers you can
Here are two papers you can read for more details on preference-based authentication:http://www.ravenwhite.com/files/quantifying.pdf (to appear in DIM '08)
http://www.ravenwhite.com/files/chi08JSWY.pdf (appeared in CHI '08)
Cheers,
Markus
http://www.ravenwhite.com/ifo
http://www.ravenwhite.com/iforgotmypassword.html or the i-forgot-my-password link (they go to the same place) are much more informative than the link in the article text. From there you can see the scholarly papers and a layman's explanation (with screenshots) of the site linked in the article text.I am glad people are writing
I am glad people are writing about this :). I have thought for some time now that this is a security issue. Nice article!In a very disappointing
In a very disappointing move, Delta Airlines recently started forcing user to setup these "security questions". I find these questions to be far more of a liability than a convenience.I don't have a problem with
I don't have a problem with answering my mothers maiden name...I just picked a name I like and remember that doesn't mean anything within either side of my family...I completely agree that
I completely agree that security questions are not a good solution to password security. I work for a company called Vidoop and we are working on delivering easy to use, secure password management solutions.Using a password manager makes it easy to use secure passwords. We just released an update for our online password manager plugin that will do form filling for you. Now you can really manage your identity information from one spot. There is a video explaining howour products keep you secure here.
If anyone has any questions you can reach us on twitter as @Vidoop
or on Get Satisfaction.
Cheers,
Kevin
I just use passwords in the
I just use passwords in the answer blanks. My mom's maiden name? XXh45jjt7. Why would I want to give sites the real answers? And what will happen when some site, for "beneficial reasons," aggregates all the answers I've entered across several other sites? I'd rather these security questions didn't describe my entire life thank you.This strategy works until
This strategy works until you forget the answers to these questions, too. Why would you forget the "real" password, but not these "new passwords"?I don’t know what
I don’t know what physiologist gave them those statistics but I know that I don’t like Indian food now. But that’s because I have never really had it, so a week from now when I have some good Indian food I might be the biggest fan. The same can be said about folk music.My social security won’t change any time soon, unless I go into the witness protection program.
The thing is, you are not
The thing is, you are not likely to change ALL your preferences next week, are you? As long as you remain 70% what you used to be, the system will say it is you. Less than that and you are considered an impostor.The problem with social security number is that it is not too secret. A lot of sites already have it, and maybe you do not want more of them to know it. Especially if it is a site that is not a financial service provider.
And other common questions today have the same problem. My CryptoBytes article of last year (http://www.rsa.com/rsalabs/cryptobytes/CryptoBytes-Winter07.pdf) shows how easy it is to get mothers maiden names from public records, for example.
Password reset is not an easy problem, and what people do today really is not all that secure.
Working people often need
Working people often need access to dozens of applications. Single-sign on might be an answer, but if your password is compromised, now the bad guys have access to everything. In the meantime, secure password self reset solutions are available for organizations that need it.I am glad people are writing
I am glad people are writing about this :). I have thought for some time now that this is a security issue. Nice article!You are right. All correctly
You are right. All correctly speak!free downloads
Reusing passwords is bad,
Reusing passwords is bad, especially for logins that could cause you a financial loss should it be compromised.I recommend using PasswordSafe - not only will this free utility keep your current passwords safe, it will also help you have quick access your passwords and also generate new, strong passwords. cash payday loan