A Different Approach to Password Reset

Earlier this week I was discussing password resets with one of my co-workers. Common password reset questions are discoverable, guessable or disclosed on your social networking site..
Mother’s Maiden Name – public record
Street you grew up on – can be findable.
Place of Birth – discoverable
Name of Pet – guessable (top list of pet names on Internet, or just check their facebook)
Users “improve” on security by putting something else their. They’ve effectively created a second password when they couldn’t remember the first. Now its likely they’ll forget both.
In a discussion of users at a non-security forum where I’m a member, one user reports “I just have stock answers for all of those things. My favorite movie? movie. My favorite actor? actor.”
Here’s another person’s response:

It drives me nuts. Stupid questions like the “favorite” stuff – what am I five years old? I don’t have a f&*(&*ng favorite color you stupid POS website!!! And then there’s the “What street did you grow up on?” “What was your Math teacher’s name?” “What is your childhood pet’s name?” ********. I’d moved six times by the time I got to high school. I didn’t grow up on ONE street, nor did I have a SINGLE math teacher and I didn’t have a pet growing up!!! All these questions are so retarded. And frequently they make you choose a whole bunch of them…
.

Then there is the problem that most of these systems are looking for exact answers. So New York, NY is not New York, New York. The system that was supposed to prevent password reset calls is generating more calls.
While reading on ITWorld.com I ran across a different approach to password reset.
I-forgot-my-password.com is a password reset system based on likes and dislikes. Given a list of items you choose 16 things you like or dislike. It doesn’t need to be a emphatic like or dislike. They feel that studies show that you wont have to remember anything. When it comes time to reset your password, you will naturally select the same items.
I watched a video of the researcher’s presentation at Google.
I think the key questions are does it scale and does it protect against the right sort of attacks. It takes longer to register. I can’t imagine doing that everytime I have to sign up for an account at a new site.
I think it fails a couple of tests
1. If I register for this form of password reset on my bank site and then on a phishing or otherwise bad-actor site, then the bad guy has the same answers as for a the valid site.
2. It fails the psycho ex-girlfriend test. She may know you well enough to pass the test.
Interesting work on a real problem. Check out the video link

3 Comments

  1. How to Create and Remember Multiple Secure Passwords

    Create and Remember Secure Multiple Passwords
    I was asked by a co-worker how I keep track of so many passwords for so many accounts, all of which have to change annually. I told her I use a custom formula in my head that allows me to determine what a …

  2. Nice article – however, I’m not sure that mother’s maiden name would be classified as ‘public record’ by any agency…

  3. Mother’s Maiden name ends up on all sorts of legal forums. Those forms are required to be available to the public simply going to the courthouse. In many cases this information is now available online. In many many states they aren’t even redacting the social security number before going online.
    There is a big difference between an agency acknowledging the idea of Mothers maiden name being personally identifiable info, and the agency keeping it out of publically accessible documents.
    Even when it isn’t just immediately there for the reading, it can be inferred from public record.
    Check out “Messing with Texas Deriving Mothers Maiden Name Using Public Records”
    http://www.informatics.indiana.edu/markus/papers/mmn.pdf

Comments are closed.