[Tfug] Authentication procedures

Choprboy choprboy at dakotacom.net
Tue Mar 17 13:55:23 MST 2009 

On Tuesday 17 March 2009 11:47, Bexley Hall wrote:
[snip]
> And: that most "backup" authentication mechanisms
> rely on "personal knowledge" (that you have of yourself)
> that many people *also* have about you;
>
> What is a realistic scheme for handling "lost passwords"?
>
> E.g., I helped a friend recover a lost password for a
> gmail account.  The process was laughable!
>
> The standard "security questions" they ask can easily
> be forged by anyone who knows the individual well enough.
> E.g., "What's your birthday?"  (wow!  I'm sure NO ONE
> knows *that*!!)  "Who is your favorite artist?"


Well... depends on what you mean by "realistic". Users seem to think they 
should be presented with a big button that says "Your password is:", but that 
button should never appear to anyone else. Administrators have a different 
view.

So... here's where I sit... First, I believe passwords should never 
be "recoverable". Passwords should be "reset-able", but never allowed to be 
reversed (i.e. one-way hashed, never store the original)... If you lose it, 
tough, you'll have to pick a new password.

Second... how do you provide an authentication to reset the password? Well... 
in a perfect world it would require 3 factor authentication in the presences  
of the admin, with a 37b/2 form completed in triplicate and duly filed, just 
scratch out where it says "Machine gun" and write in "password reset". That 
would "encourage" proper memory retention... but I digress.  Unfortunately, I 
believe the vast number of websites that use the "What is your birthday?" ilk 
as a reset authentication have done a great disservice in teaching people to 
use obvious/public information as passwords. What I tend to do when 
confronted with such things is to use a password that is very obvious (to me) 
and easy to use, but has no relation at all to the question answered.

So... for instance, if the question was "What is your birthday?" I might 
answer "puppydog32"... The answer is not related in any way to the question 
(or any of the other questions) and never used as your primary password 
anywhere (i.e. you only use this for password resets), but is dead simple to 
remember across multiple sites where you may need a "backdoor" to reset your 
password. I can then use "puppydog32" as the answer to my "Mother's maiden 
name?" on another site, and "What is your favorite song?" on a third.

Adrian

More information about the tfug mailing list