[Tfug] Authentication procedures

Bexley Hall bexley401 at yahoo.com
Tue Mar 17 21:51:42 MST 2009


Hi, Adrian,

> > What is a realistic scheme for handling "lost passwords"?
> 
> Well... depends on what you mean by "realistic".
> Users seem to think they should be presented with a big
> button that says "Your password is:", but that 
> button should never appear to anyone else.

<grin>  Or, someone to *call* and *berate* into fixing
the problem for them...

> Administrators have a different  view.
> 
> So... here's where I sit... First, I believe passwords
> should never be "recoverable". Passwords should be
> "reset-able", but never allowed to be 
> reversed (i.e. one-way hashed, never store the original)...

Agreed.

> Unfortunately, I believe the vast number of websites that
> use the "What is your birthday?" ilk 
> as a reset authentication have done a great disservice in
> teaching people to 
> use obvious/public information as passwords.

I was amazed to see how many "on-line services" (e.g., banking)
follow the same pattern.

> What I tend to do when 
> confronted with such things is to use a password that is
> very obvious (to me) 
> and easy to use, but has no relation at all to the question
> answered.
> 
> So... for instance, if the question was "What is your
> birthday?" I might 
> answer "puppydog32"... The answer is not related
> in any way to the question 
> (or any of the other questions) and never used as your
> primary password 
> anywhere (i.e. you only use this for password resets), but

Exactly.  And, you *rarely* do password resets.  I.e.,
in my scheme, I force the system to change this password
for you whenever you use it -- thus inconveniencing you
if you happen to be negligent enough to need it.

> is dead simple to 
> remember across multiple sites where you may need a
> "backdoor" to reset your 
> password. I can then use "puppydog32" as the
> answer to my "Mother's maiden 
> name?" on another site, and "What is your
> favorite song?" on a third.
 
But, if you do that, it's no better than picking and
reusing a single "password".  I.e., once someone knows
"puppydog32" is precious to you, they can use it on
all of your accounts' "security questions".

While I dislike having to write down passwords, I
think the "super secret" recovery passwords can bear
to be squirrelled away.  Especially if you are at
the mercy of the system to come up with new passwords
each time you "consume" one.


      




More information about the tfug mailing list