Earlier this week I was discussing password resets with one of my co-workers. Common password reset questions are discoverable, guessable or disclosed on your social networking site..
Mother’s Maiden Name – public record
Street you grew up on – can be findable.
Place of Birth – discoverable
Name of Pet – guessable (top list of pet names on Internet, or just check their facebook)
Users “improve” on security by putting something else their. They’ve effectively created a second password when they couldn’t remember the first. Now its likely they’ll forget both.
In a discussion of users at a non-security forum where I’m a member, one user reports “I just have stock answers for all of those things. My favorite movie? movie. My favorite actor? actor.”
Here’s another person’s response:
It drives me nuts. Stupid questions like the “favorite” stuff – what am I five years old? I don’t have a f&*(&*ng favorite color you stupid POS website!!! And then there’s the “What street did you grow up on?” “What was your Math teacher’s name?” “What is your childhood pet’s name?” ********. I’d moved six times by the time I got to high school. I didn’t grow up on ONE street, nor did I have a SINGLE math teacher and I didn’t have a pet growing up!!! All these questions are so retarded. And frequently they make you choose a whole bunch of them…
Then there is the problem that most of these systems are looking for exact answers. So New York, NY is not New York, New York. The system that was supposed to prevent password reset calls is generating more calls.
While reading on ITWorld.com I ran across a different approach to password reset.
I-forgot-my-password.com is a password reset system based on likes and dislikes. Given a list of items you choose 16 things you like or dislike. It doesn’t need to be a emphatic like or dislike. They feel that studies show that you wont have to remember anything. When it comes time to reset your password, you will naturally select the same items.
I watched a video of the researcher’s presentation at Google.
I think the key questions are does it scale and does it protect against the right sort of attacks. It takes longer to register. I can’t imagine doing that everytime I have to sign up for an account at a new site.
I think it fails a couple of tests
1. If I register for this form of password reset on my bank site and then on a phishing or otherwise bad-actor site, then the bad guy has the same answers as for a the valid site.
2. It fails the psycho ex-girlfriend test. She may know you well enough to pass the test.
Interesting work on a real problem. Check out the video link