Friday, June 15, 2012

not-so-secret questions...

You want to know something that drives me nuts?

Password reset questions.  Yeah, I know, I'm not the only one, and it's certainly not an original or new complaint...But hey, it's the first time I've complained about it (in this forum, at any rate).

As anyone in InfoSec can attest, password-based authentication systems are frequently flawed...But when your only interaction with your customers is an impersonal remote connection -- via a seemingly-infinite variety of potential computing devices -- password-based systems are easy to implement & manage.

As an end user with little visibility to the protections implemented by a given website, the only sure way to mitigate risks associated with potential weaknesses is to take matters into your own hands...Use strong passwords...Rotate them on occasion...Don't use the same password for multiple sites.  If you hang out with any InfoSec geeks, I'm sure you've heard this all before.

Analog Password Manager
And unless you have an eidetic memory (or an office that looks like a scene out of Conspiracy Theory), keeping track of your passwords when following such a practice can get rather complicated...So, to my friends & family, I usually recommend a password manager like LastPass (there are others, but I prefer LastPass because it supports a variety of multi-factor options).  And for my coworkers, I usually hand them a page from my notebook (pictured).

So you do everything right. You get yourself a password manager. You set long, meaningless passwords with letters, numbers, symbols...maybe even the occasional umlaut (otherwise known as "röck döts,")...And then one day, you log in to your bank, and they ask you to provide answers to some secret questions, in case you ever need to reset your password.

Seems like a good idea, right?  I mean, I'd hate to lose access to my online account.  Because then I'd have to go interact with a teller face-to-face. And honestly, I don't exactly remember how that works....there was...something on the news...about wearing not nylons on your head...Anyway, not that it matters -- I'm pretty sure the closest physical office for my bank is roughly 1300 miles from my home.

So, yes, it seems like it'd be good to have a backup plan, in case I forget my password.

But...

My....my mother's maiden name?  I'm from a small town; how hard can that be to figure out?  Name of my first pet??  I'd give that info up during a casual conversation without even thinking about the risk.  Father's middle name?  That's gotta be statistically easy to extrapolate.

A decade ago, before social networks became all the rage, there may have been a few questions in the pool that would have felt a little difficult to guess.  But today, there are Facebook apps trying to build out your family tree.  Your favorite book/movie/food/hamburger-topping/band/band-name-that's-also-a-city/breed-of-fish/etc is all potentially published right there at the top of your profile.  Seven-hundred-thirty-six of your closest friends, most of whom wouldn't know your name if you ran into them on the street, are wishing you a happy birthday on your wall.

And we thought password-based systems were weak before this.

Sure, you can take some basic precautions to help your own children...Name your pet something uncommon, perhaps with a hyphen or apostrophe. But nothing stops them unraveling your careful work by posting an update on Twitter, "Taking my new pet, O'Fluffy-the-Kitteh, to Grandma MomsMaidenName's house where she grew up, in Bumbletucky, for my birthday next Tuesday."

My guidance to end users? Don't answer those password reset questions accurately. If the site is "high value," (your bank, or something that could be used to order & ship expensive koala meat), create random strings of text & store your answers in the notes section of your password manager.

And my guidance to companies implementing such practices?  Look, single-factor password systems were weak before...maybe it's time to move forward?  Look at how Google implemented 2-step verification, or look at how LastPass enables multifactor with the Google Authenticator. If you're a retail site, and I forget my password, I don't mind if you lock my transaction history & force me to reset any stored payment methods (I'd actually prefer it).  If you're running a low-sensitivity comment forum, I probably don't need anything more than email confirmation for the reset.  Just...don't further compromise your whole system just to save a couple bucks on customer support....It won't save you anything, in the long run.

-TZ
and +B!ng(0) was his name-o

No comments:

Post a Comment

Post a Comment