Re: Most secure way to reset a password via email link [message #185411 is a reply to message #185165] |
Sat, 29 March 2014 06:28 |
gordonb.9e9ri
Messages: 1 Registered: March 2014
Karma:
|
Junior Member |
|
|
> Yes, ... I hate these challenge question schemes. I do not like being
> forced to share things like my mother's maiden name - or other, perhaps,
> private information with other people. Do they hash those answers, too?
Don't give out personal information. Lie. Make it as blatant as
you want. You might get fired for lying on a job application, but
I don't think the same applies to passwords and security questions.
I think it's best that your answer is something that no reasonable
person would give as an answer to the question if it wasn't a
security question. Your mother's maiden name should be anything
but a name. Your first child's birthday should not be a date. Your
home town should not be a city, town, or village (at least not one
on Earth). If you are sure you will never be asked for your password
over the phone or in person by a human, you could try a phrase
loaded with cusswords that will get you punched out if you said it
in person.
Some people think they can get away from forced disclosure of
passwords to the US government by making their password a confession
to a crime. I doubt this will work. It also involves more typing
than most people will put up with, and most systems won't let you
enter a pass-novel as a password.
> If not, it's like giving away the keys to any other site where I use
> that.
You should presume that anything you enter can be gotten in plaintext
by a technical employee at the site, regardless of how it's officially
stored. A good explanation of SSL I've heard: SSL allows you to
deliver your credit card number to the thief that owns the web site
securely so that he can rip you off before other thieves max out
your card. Well, perhaps that's a bit harsh, but SSL will not
protect you from the owner/operator of the site you intend to send
data to.
Don't share passwords between different sites managed by different
companies. Don't share passwords between your bank and Facebook,
or between work accounts and personal accounts. I suppose a
rogue admin at a social networking site might have a good chance
of raiding customer bank accounts given the password, name, and
whatever useful personal information is put on the site.
> If I pick a random question and supply a random answer, how do I
> remember it?
I have a few hundred personal passwords. The first thing to realize
is that I *DON'T* need to keep 90% of them handy at all times. For
most of them, it's fine if I have to go home to get the password
and use it from there. Accessing your property tax account just
isn't urgent enough to require accessing it from an Internet cafe
unless you kept putting it off for a couple of months.
People usually do a pretty good job keeping their wallet secure,
even though they carry it around with them. This is probably OK
except for keeping it secure from people you live with (spouses,
kids, parents). Go ahead and write it down - it's much better than
having one or a few passwords you use for all sites. It might be
a good idea to put passwords on one piece of paper and what they
are for on another.
If you can find a good phone app that stores your passwords encrypted
on the phone, that might work well.
> I noticed that my answer at one site can be mistyped slightly and still
> pass. This would imply that they are saving this information in plain
> text. Stupid is as stupid does.
Or perhaps worse, they chop it at N characters and then hash those.
N = 8 is sometimes found with Unix-style password hashing.
> I think this kind of thing (and requirements on password strength)
> create a security problem of their own by forcing people to record this
> information somewhere and then keep it handy.
I'm not sure that's such a bad thing. It may present a problem if
you really need to keep this information secret from someone you
live with.
> To the OP - it has been said - do not store passwords in plain text or a
> retrievable form. Use a one way hash. Any site that can "send me my
> password if I forgot" is a big security risk.
Agreed. However, beware if the hash of the password *becomes* the
password: you can get access knowing the hash but not the password.
Someone came up with an interesting way of assigning unique numbers
to a device easily, and it might work for passwords also. It costs
US $1 for each unique number. To make a Facebook password, you
take a $1 bill and write "Facebook" on it. The password is a
combination of the series year, and the serial number of the bill.
If you want to change your password, get another $1 bill and spend
the first one. If you keep these bills in your wallet, just remember
not to spend them. Also watch out for getting your own or someone
else's old passwords in change.
|
|
|