Passwords May No Longer Be the Problem – Password Reset IS the Problem

Bad guys are looking for the weakest link. I worked at one of the world’s largest ISPs for many years. We continually told our customers to use strong, OK, stronger passwords than what they were using previously using. Many customers listened.

Unfortunately the bad guys moved to the weakest link, the “I forgot my password please reset it question.” What is your pets name? What is your favorite color? Favorite food? Where were you born? What a bonanza for bad guys! The subset of correct answers is small. Few people would answer that their favorite food is Brussels Sprouts. Dictionary attacks are trivial. Unlike a password which may contain a special character or a change in capitalization, password reset answers are almost guaranteed to be in a dictionary and likely a small one. Not only were the answers found in a dictionary if the attacker was a little smarter they could often find the answer online via Facebook, LinkedIn, My Space profiles, or using a search engine.

Additionally the password reset processes are often not setup to limit the number of attempt, IP addresses are not logged, and other security mechanisms normally used for passwords are not used for reset questions.

Suggestions:

a) If you are going to use the correct answer for your pet aardvark’s name then modify the capitalization, add punctuation, letters, etc.

b) Use a random set of characters like a password and write them down in a safe place. You can also use the notes section of Lastpass.

Advertisements

About infoguardianangel
The consumer and corporate information guardian angel. Cybersecurity and privacy advice for my clients (and anyone else who cares about protecting their data or their companies).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: