What is worse than reusing passwords?
Do you use the same password all over the place? Yes, you probably do -- whether you know it or not.
The fact is, while some people still casually use the same password for many sites, almost all of us reuse what we may think of as "meta passwords" -- the information used to reset passwords. That, I argue, is worse than reusing passwords - but harder to avoid!
When you have forgotten your password, some sites send you an email with a link for you to click. Phishers who have stolen access to your email account can do that, too. Other sites will ask you for your mother's maiden name, the name of your best friend, what city you grew up in, or what brand your first car was. Did you know that phishers can answer those questions, too?
Like the city you grew up in, your mother's maiden name can be derived from public records -- from birth certificates and marriage certificates to be specific. (Download PDF for details.) Facebook might unwittingly tell the name of your best friend. And,until quite recently, Ford with its 25% market share had a pretty good chance of being the brand of your first car!
This same set of popular password reset questions are reused on many sites. What if one of them is hacked? And, yes, a shady site can ask you the same questions as big banks ask, hoping to learn your answers if you set up an account there.
Password reset techniques have several problems. One is that many of the answers can be found in public databases, or guessed. Another is that many sites ask the same questions. And yet another one is that some questions are not very memorable at all, or change. Last name of your kindergarten teacher and favorite movie are two examples. My favorite in this category is from Virgin America. How much wood would a woodchuck chuck if a woodchuck could chuck wood? And can you enter any of the answers using a phone keyboard? Probably, but it is not so much fun to do.
Password reset does not have to be a weak link.
Psychologists know that people's preferences are stable -- often more so than long term memory. And very few preferences are recorded in public databases, especially slight preferences. Take a look at www.blue-moon-authentication.com to try out what the setup and password reset may look like in a system based on preferences. You will see that the password reset step can be done on a phone, by the way.
Related reading
- www.I-forgot-my-password.com
- Security Questions in the Era of FaceBook
- Love and Authentication (presentation)
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
There's a nice white paper
There's a nice white paper about exactly this topic, to help organizations design stronger authentication for when users forget their passwords:(psynch.com)
Here are two papers you can
Here are two papers you can read for more details on preference-based authentication:http://www.ravenwhite.com/files/quantifying.pdf (to appear in DIM '08)
http://www.ravenwhite.com/files/chi08JSWY.pdf (appeared in CHI '08)
Cheers,
Markus
http://www.ravenwhite.com/ifo
http://www.ravenwhite.com/iforgotmypassword.html or the i-forgot-my-password link (they go to the same place) are much more informative than the link in the article text. From there you can see the scholarly papers and a layman's explanation (with screenshots) of the site linked in the article text.