Bad Security 201 – Password Reminder Questions   3 comments

There are a great many websites that have a “click here to reset your password” button (they’re all evil and wrong).  When you click on that button, you are presented with a question or list of questions, and you need to answer one or more of them to have your password reset.

Common questions include:

  • The Street where you grew up
  • Where you were born
  • Your mother’s maiden name
  • The name of your first pet
  • etc.

The theory, of course, is that only the legitimate user would know the answers to these questions.  It’s a stupid theory.  Here’s the problem: for anyone who’s moderately online, one or more of these questions is pretty easily answered.  Try PeopleFinders.   I get my age, all my sibling’s names, my wife’s name (which includes her maiden name as her middle name, a pretty common occurrence nowadays), and the names of my parents.  For $11-$50, I can find out a ton of information regarding any of those people, including past addresses.  So, for $50, you can pretty easily find the list of addresses for my parents, one of which is the “Street where I grew up”.  Anyone trying to game the accounts of my kids, of course, gets their mother’s maiden name pretty easily here.  Googling around, or searching on Facebook or MySpace or one of the other social networking sites can give you hobbies, pets names, you name it.

Any IT department that implements one of these “remind me of my password” systems is doing it for one simple reason: verifying someone’s identity is a difficult task.  People forgetting their passwords and needing their credentials reset are a huge drain on IT departments – this sort of task (in any meaningful way) needs to be accomplished by someone trained to avoid social engineering techniques and know how to reasonably verify that someone is who they say they are.  Most IT departments are strapped for resources as it is, they’re not going to do this job properly unless there is a real mandate to do it right.

And this is yet another reason why I don’t bank online.


Posted October 30, 2007 by padraic2112 in security

3 responses to “Bad Security 201 – Password Reminder Questions

Subscribe to comments with RSS.

  1. Aha! I have fictional answers to all those questions!

  2. Pingback: Password Reminder Questions In Politics « Pat’s Daily Grind

  3. Not to mention all the quizzes and such that go around facebook… such as: find your porn star name by putting together the name of your first pet and the street you grew up on.

    christopher anglin

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: