Cryptosmith

It used to be that the default password was your mother’s maiden name, your SSN, your birthdate, or something like that. Now you have to pick a password, and your ‘password recovery’ questions are based on those old stand-by questions. So you can still break in to a person’s accounts by answering those classic questions.

There have been some interesting recent reports about the use of personal questions for password resetting, and Bob Sullivan has summarized them in a recent posting.

This problem will only disappear over time, as people learn how NOT to lose security credentials.

One fellow, a Herbert Thompson, asked friends for permission to hack into their accounts, and then proceeded to do so by using info allegedly gleaned from the friends’ MySpace sites and such.

More interesting, IMHO, is the link to a recently published a research paper (PDF) by Ariel Rabkin, a researcher at the University of California at Berkeley, that actually reviews security questions.

This problem will only disappear over time, as people learn how NOT to lose security credentials. Back in the good old days, it didn’t matter if you lost your car key. You could usually find someone who knew how to hot wire it to get it started. Then you’d drive home and get your spare (unless that’s the one you lost). Today, a car is useless without its key. Someday we’ll probably all carry a digital credential similar to a car key, and it’ll be awful if we misplace it. So we won’t.

Strong authentication has to rely on something more than memorized secrets. This “something more” will contain more bits than normal humans can memorize. Maybe this information will reside in my cell phone, or maybe it resides in a USB stick or RF-oriented data carrier. I don’t know - there are problems with just about any solution.

Posted under Information Security |