• Markus Jakobsson

  • by Markus Jakobsson
  • RSS

Recent blog posts

What is worse than reusing passwords?

By Markus Jakobsson  16 comments

August 12, 2008, 9:22 PM Do you use the same password all over the place? Yes, you probably do -- whether you know it or not.

The fact is, while some people still casually use the same password for many sites, almost all of us reuse what we may think of as "meta passwords" -- the information used to reset passwords. That, I argue, is worse than reusing passwords - but harder to avoid!

When you have forgotten your password, some sites send you an email with a link for you to click. Phishers who have stolen access to your email account can do that, too. Other sites will ask you for your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. Did you know that phishers can answer those questions, too?

Like the city you grew up in, your mother's maiden name can be derived from public records -- from birth certificates and marriage certificates to be specific. (Download PDF for details.) Facebook might unwittingly tell the name of your best friend. And,until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car!

This same set of popular password reset questions are reused on many sites. What if one of them is hacked? And, yes, a shady site can ask you the same questions as big banks ask, hoping to learn your answers if you set up an account there.

Password reset techniques have several problems. One is that many of the answers can be found in public databases, or guessed. Another is that many sites ask the same questions. And yet another one is that some questions are not very memorable at all, or change. Last name of your kindergarten teacher and favorite movie are two examples. My favorite in this category is from Virgin America. How much wood would a woodchuck chuck if a woodchuck could chuck wood? And can you enter any of the answers using a phone keyboard? Probably, but it is not so much fun to do.

Password reset does not have to be a weak link.

Psychologists know that people's preferences are stable -- often more so than long term memory. And very few preferences are recorded in public databases, especially slight preferences. Take a look at www.blue-moon-authentication.com to try out what the setup and password reset may look like in a system based on preferences. You will see that the password reset step can be done on a phone, by the way.

Related reading

16 comments

    MichaelCarver
    MichaelCarver 21 weeks ago
    Most online email services now let users answer a variety of questions like their favorite sports. If a password is lost, this info is matched up to the answers they provide. If they're close, the password will be resent.
    Flag comment  |  Permalink Reply
    Anonymous 2 years ago
    Reusing passwords is bad, especially for logins that could cause you a financial loss should it be compromised.I recommend using PasswordSafe - not only will this free utility keep your current passwords safe, it will also help you have quick access your passwords and also generate new, strong passwords. cash payday loan
    Flag comment  |  Permalink Reply
    Anonymous 2 years ago
    You are right. All correctly speak!free downloads
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    I am glad people are writing about this :). I have thought for some time now that this is a security issue. Nice article!
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    Working people often need access to dozens of applications. Single-sign on might be an answer, but if your password is compromised, now the bad guys have access to everything. In the meantime, secure password self reset solutions are available for organizations that need it.
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    I don’t know what physiologist gave them those statistics but I know that I don’t like Indian food now. But that’s because I have never really had it, so a week from now when I have some good Indian food I might be the biggest fan. The same can be said about folk music. My social security won’t change any time soon, unless I go into the witness protection program.
    Flag comment  |  Permalink Reply
    Markus Jakobsson
    Markus Jakobsson 3 years ago in reply to Anonymous
    The thing is, you are not likely to change ALL your preferences next week, are you? As long as you remain 70% what you used to be, the system will say it is you. Less than that and you are considered an impostor. The problem with social security number is that it is not too secret. A lot of sites already have it, and maybe you do not want more of them to know it. Especially if it is a site that is not a financial service provider. And other common questions today have the same problem. My CryptoBytes article of last year (http://www.rsa.com/rsalabs/cryptobytes/CryptoBytes-Winter07.pdf) shows how easy it is to get mothers maiden names from public records, for example. Password reset is not an easy problem, and what people do today really is not all that secure.
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    I just use passwords in the answer blanks. My mom's maiden name? XXh45jjt7. Why would I want to give sites the real answers? And what will happen when some site, for "beneficial reasons," aggregates all the answers I've entered across several other sites? I'd rather these security questions didn't describe my entire life thank you.
    Flag comment  |  Permalink Reply
    Markus Jakobsson
    Markus Jakobsson 3 years ago in reply to Anonymous
    This strategy works until you forget the answers to these questions, too. Why would you forget the "real" password, but not these "new passwords"?
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    I completely agree that security questions are not a good solution to password security. I work for a company called Vidoop and we are working on delivering easy to use, secure password management solutions.Using a password manager makes it easy to use secure passwords. We just released an update for our online password manager plugin that will do form filling for you. Now you can really manage your identity information from one spot. There is a video explaining howour products keep you secure here.If anyone has any questions you can reach us on twitter as @Vidoop or on Get Satisfaction. Cheers,Kevin
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    I don't have a problem with answering my mothers maiden name...I just picked a name I like and remember that doesn't mean anything within either side of my family...
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    I am glad people are writing about this :). I have thought for some time now that this is a security issue. Nice article!
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    http://www.ravenwhite.com/iforgotmypassword.html or the i-forgot-my-password link (they go to the same place) are much more informative than the link in the article text. From there you can see the scholarly papers and a layman's explanation (with screenshots) of the site linked in the article text.
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    In a very disappointing move, Delta Airlines recently started forcing user to setup these "security questions". I find these questions to be far more of a liability than a convenience.
    Flag comment  |  Permalink Reply
    Anonymous 3 years ago
    There's a nice white paper about exactly this topic, to help organizations design stronger authentication for when users forget their passwords:(psynch.com)
    Flag comment  |  Permalink Reply
    Markus Jakobsson
    Markus Jakobsson 3 years ago in reply to Anonymous
    Here are two papers you can read for more details on preference-based authentication: http://www.ravenwhite.com/files/quantifying.pdf (to appear in DIM '08)http://www.ravenwhite.com/files/chi08JSWY.pdf (appeared in CHI '08)Cheers,Markus
    Flag comment  |  Permalink Reply

      Add a comment

      Post a comment using one of these accounts
      Or join now
      At least 6 characters

      Note: Comment will appear soon after you have activated your account.
      Obscene/spam comments will be removed and accounts suspended.
      The information you submit is subject to our Privacy Policy and Terms of Service.

      ITworld LIVE

      SecurityWhite Papers & Webcasts

      White Paper

      Overcome Top 7 Admin Challenges of Active Directory

      As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities. Brought to you by NetIQ.

      White Paper

      Insiders Can Ruin Your Company. Take Action.

      Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.

      White Paper

      Top Solutions and Tools to Prevent Devastating Malware

      Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts. This white paper has been brought to you by NetIQ, the leader in solving complex IT challenges.

      White Paper

      Streamline Compliance and Increase ROI

      Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will help your business gain the maximum return on investment possible while aligning your compliance programs.

      White Paper

      X-Ray of the PCI Process-4 Proactive Steps

      This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into creating a compliant and secure IT environment. Follow these four proactive steps now before your next audit. Brought to you by NetIQ.

      See more White Papers | Webcasts

      Answers - Powered by ITworld

      ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

      Join Now

      New questions

      How much will the security flaws in Google Wallet set back the transition to "digital wallets"?
      0 answers
      What mobile apps are the worst offenders to user privacy?
      2 answers
      What are the main advantages/disadvantages of a hybrid cloud model vs. the public cloud?
      2 answers
      How do you bill for independent sales reps in a company IT contract?
      2 answers
      What would it take for you to allow a company to REALLY track all of your web use?
      2 answers
      View more questions

      Ask a question

      Join Now or Sign In to ask a question.
      Ask a Question