Skip to Content.
Sympa Menu

assurance - Re: [Assurance] Password reset process: Flogging the dead horse

Subject: Assurance

List archive

Re: [Assurance] Password reset process: Flogging the dead horse


Chronological Thread 
  • From: "Joe St Sauver" <>
  • To:
  • Subject: Re: [Assurance] Password reset process: Flogging the dead horse
  • Date: Wed, 7 Aug 2013 16:34:04 -0700 (PDT)

Eric commented:

#Thanks, and yes for purposes of this question, I'd think email, SMS and
#snail mail are roughly equivalent.

They certainly pose different attack models. For example:

-- Email-based password resets were immortalized as attack vector in
Mat Honan's Wired piece, "Kill the Password: Why a String of Characters
Can't Protect Us Anymore,"
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/

Go to page three of that article -- Mat wrote:

But we'd be left with the weakest link of all: human memory. Passwords
need to be hard in order not to be routinely cracked or guessed. So if
your password is any good at all, there's a very good chance you'll
forget it -- especially if you follow the prevailing wisdom and don't
write it down. Because of that, every password-based system needs a
mechanism to reset your account. And the inevitable trade-offs (security
versus privacy versus convenience) mean that recovering a forgotten
password can't be too onerous. That's precisely what opens your account
to being easily overtaken via social engineering. Although "socialing"
was responsible for just 7 percent of the hacking cases that government
agencies tracked last year, it raked in 37 percent of the total data
stolen.

Socialing is how my Apple ID was stolen this past summer. [continues]

-- A flawed SMS reset implementation, just so you don't think I'm only
picking on email-based password resets:

http://threatpost.com/sms-account-hijack-exploit-fixed-by-facebook

-- So what about password resets via snail mail?

While this could be very secure, if, for example, registered mail was
used, I suspect that that would be viewed as too expensive (and too
inconvenient). The credential would presumably just be tossed into a
regular first class letter, hopefully in one of those "security"
envelopes so you couldn't hold the letter up to the light and read
the message right through the envelope...

Anyhow, that will normally be fine, EXCEPT for cases such as:

-- all snail mail is opened by an administative assistant (common among
executive level people), or by one's spouse/room mate; password
confidentiality just got breached...

-- cases such as users living abroad (where snail mail may literally
take weeks (or longer) to be delivered, if delivery occurs at
all); password reset just failed, if so...

There are some other approaches that I find more intriguing, including
biometrics (e.g., voice analysis, in particular), but those are also
not without their own unique set of problems.

Doing remote password resets securely is just a HUGE problem from my
POV.

Regards,

Joe



Archive powered by MHonArc 2.6.16.

Top of Page