Post #185,581
11/30/04 2:57:04 PM
|

NO
You have then effectively reduced the security of the system to answering the stupid, weak secret question. DO NOT PERPETUATE THIS METHOD OF INSECURITY.
|
Post #185,582
11/30/04 2:58:41 PM
|

Er, buh?
The security isn't compromised. The question would ONLY be used to allow someone to reset the password to a random string and email it, not get into the system.
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #185,593
11/30/04 4:13:16 PM
|

That's enough of a detriment not to warrant the risk IMO
|
Post #185,594
11/30/04 4:16:38 PM
|

?
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #185,625
11/30/04 5:46:20 PM
|

??
===
Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats]. [link|http://DocHope.com|http://DocHope.com]
|
Post #185,583
11/30/04 3:01:36 PM
|

Yeah
When setting up a user, leave the "Question" and "Answer" fields both blank. Allow the user to enter their own question. And, of course, the answer to it.
"What is your Fraternity initiate number?" "1234" "What is your favorite sports team?" "Chicago Cubs" "What is the value of 6 x 9 on alternate Tuesdays?" "54"
etc.
When the user wants to reset their password, they are then prompted with their own question, must provide the correct answer, and then their password is successfully reset, and their new password is emailed to the email address on file, and nowhere else.
How is that insecure?
-YendorMike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #185,595
11/30/04 4:17:29 PM
|

How is that insecure?
You've reduced the work needed to perform a successful attack because people do not know how to choose secure questions or answers. Although there are potentially trillions of answers to "What is your favorite sports team?" (including answers such as "Zaphod Beeblebrox" and "suo48gn4lo"), the majority of users will select from a limited list of answers, and a substantial portion are going to choose "Chicago Cubs".
|
Post #185,596
11/30/04 4:18:26 PM
|

You're unclear on this.
They cannot either get into the system or get the password by knowing the answer to the question. They can only cause the user to get their password to be reset. I really don't understand your objection to this. Why don't you explain how you think this compromises the system?
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #185,598
11/30/04 4:22:21 PM
|

See below.
|
Post #185,713
12/1/04 1:55:04 PM
8/21/07 6:13:52 AM
|

You only need one field labeled "Hint"
You can put a cryptic memory jogger that nobody else would figure out. I like that one. ie - "Your uncle's horse".
Precious few people are going to know my uncle's name, much less the name of his primary steed (he has half a dozen but one fave).
"The significant problems we face cannot be solved at the same level of thinking we were at when we created them." --Albert Einstein
"This is still a dangerous world. It's a world of madmen and uncertainty and potential mental losses." --George W. Bush
|
Post #185,718
12/1/04 2:06:55 PM
|

Sure...
...That's the smart-man's way of handling a user-enterable "hint" and "hint response" type of field. You could just as easily enter "Glarble fark?" for the hint, and "Farkin-a!" for the response. Who the hell would think of that response to such gibberish?
The main point is that a user-enterable password hint and response are more secure than choosing from a list of questions, with a corresponding pre-chosen list of answers.
PS- Sorry if I've now ruined your response to some website. Farkin-a! :)
-YendorMike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #185,720
12/1/04 2:10:59 PM
|

Bah.
Now I need a new one...
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #185,741
12/1/04 4:35:59 PM
|

Not quite
1. Never get involved in a land war in Asia. 2. Never confuse "secure" with "securable"--that is, "potentially secure". The main point is that a user-enterable password hint and response are more secure than choosing from a list of questions, with a corresponding pre-chosen list of answers. That should be: The main point is that a user-enterable password hint and response are more securable than choosing from a list of questions, with a corresponding pre-chosen list of answers. The difference is that most users will still choose easily-guessable questions and answers. You and I may not, but we're exceptional people. ;)
|
Post #185,773
12/1/04 8:03:26 PM
|

And my point is...
The difference is that most users will still choose easily-guessable questions and answers. You and I may not, but we're exceptional people. ;) I really don't give a rat's ass if anyone else chooses "What color is the sky?" with a response of "blue" to that question. If you let them choose the question and provide the answer, and they do something as downright stupid as that, why should I give a flying fuck? Why should Scott give a flying fuck, either? I know plenty of people, both friends and cow-orkers, who choose things like their child's name for their password. I'd be willing to bet that at least some people here are guilty of same. Hell, even I have been known to reuse passwords from one website to the next. Every person is responsible for their own account's security under this method. That's the point.
-YendorMike
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #185,791
12/1/04 10:20:06 PM
|

I have a standard formula I use for passwords.
- Expendable accounts that are nice to have but nothing to important that I can't replace if compromised.
- Expendable accounts that are very important to me, but not irreplacable
- Important stuff that would be a troublesome to replicate or recover>/li>
- Critical stuff that, I will not be able to recover or replace or is so important to me that losing it would be very very bad.
Of course there are combinations of those levels. I still like my idea. I very much prefer it. Even compared to /. and the mechanism used.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyNo matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
|
Post #185,794
12/1/04 10:40:44 PM
|

I also have a standard formula
I assume that the web is open for all to review so have reused thae same password combo for years as I dont give too much of a rats if one gets compromised. I dont use ebay or other ecommerce sites. I do bank on the web so have a completely separate line for that. Knowing my generic work/web login would give no clues to my financials. regards, daemon
that way too many Iraqis conceived of free society as little more than a mosh pit with grenades. ANDISHEH NOURAEE clearwater highschool marching band [link|http://www.chstornadoband.org/|http://www.chstornadoband.org/]
|
Post #185,797
12/1/04 11:06:54 PM
|

Ding, Ding, Ding.
If you fingered out my expendable passwords... you are completely in the wrong secotr of the galaxy to try to relate to my "secure" passwords.
So it sounds like you are the same kind.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyNo matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
|
Post #185,584
11/30/04 3:13:54 PM
|

It's only insecure if the user is allowed to proceed
as if they had given the correct password.
Imric's Tips for Living
- Paranoia Is a Survival Trait
- Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
- Even though everyone is out to get you, it doesn't matter unless you let them win.
|
Nothing is as simple as it seems in the beginning, As hopeless as it seems in the middle, Or as finished as it seems in the end.
|
|
Post #185,597
11/30/04 4:22:03 PM
|

Bah. Risk is the issue.
...and there are more risks than simply "proceeding as normal". One is that they would (in parallel) gain access to the new-password mailbox through sniffing, cracking or other means. Another is that they mount a DOS on my mailbox through the "new password" feature. For some mail systems, these would go hand-in-hand. Secure systems require examining all the risks, not just the original risk for which your technology was designed.
|
Post #185,600
11/30/04 4:23:51 PM
|

So what's YOUR suggestion?
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #185,606
11/30/04 4:39:05 PM
|

Unfortunately for you #1 ;)
But looking at #2, it should be possible to secure the plaintext pword DB on a limited-services box. If the server also does FTP, SSH, what-have-you, it becomes less desirable.
|
Post #185,607
11/30/04 4:41:00 PM
|

WTF?
How is #2 any more secure than #3?
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."
|
Post #185,608
11/30/04 4:44:04 PM
|

Sorry. You're right. I didn't read carefully.
I glossed over the email part.
|
Post #185,609
11/30/04 4:47:21 PM
11/30/04 4:48:36 PM
|

So how does that change your answer?
And I'm mainly interested to see if you have any suggestions for automated functionality.
But if we were to do #1, there's still the issue of me authenticating requests for password changes (if I'm doing the changing) or email snooping if I'm resetting and sending a new one.
There's also option #4 at the end of the thread.
Regards,
-scott anderson
"Welcome to Rivendell, Mr. Anderson..."

Edited by admin
Nov. 30, 2004, 04:48:36 PM EST
|
Post #185,603
11/30/04 4:30:48 PM
|

Same risk than we have now during login.
And with CRCs suggestion that there be a limit on tries/hour, a DOS on your mailbox is NOT an issue.
Imric's Tips for Living
- Paranoia Is a Survival Trait
- Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
- Even though everyone is out to get you, it doesn't matter unless you let them win.
|
Nothing is as simple as it seems in the beginning, As hopeless as it seems in the middle, Or as finished as it seems in the end.
|
|
Post #185,605
11/30/04 4:37:17 PM
|

Same outcome, different risk--the attack surface has doubled
|
Post #185,678
12/1/04 2:33:03 AM
|

Not mine.
"The other" Scott's: [link|/forums/render/content/show?contentid=185579|Post #185579].
[link|mailto:MyUserId@MyISP.CountryCode|Christian R. Conrad] (I live in Finland, and my e-mail in-box is at the Saunalahti company.)
Your lies are of Microsoftian Scale and boring to boot. Your 'depression' may be the closest you ever come to recognizing truth: you have no 'inferiority complex', you are inferior - and something inside you recognizes this. - [link|http://z.iwethey.org/forums/render/content/show?contentid=71575|Ashton Brown]
|
Post #185,716
12/1/04 2:04:43 PM
|

Can we please weight the risks
against benefits and against the importance of the information being protected? I have hard time imagining someone using mailbox spoofing just to get access to my IWETHEY identity. DOSes can be easily prevented by limiting the number of resets per day.
--
This guy's ahead of his time! He's using quantum programming methods: in universes where invalid data is passed to this function, it does not return. Thus you are ensured that you will only have valid data after calling it. Optimally you'd destroy the universe on failure, but computers haven't quite advanced to that level yet.
-- [link|http://thedailywtf.com/archive/2004/10/26/2920.aspx|The] Daily WTF
|