Easily Reset Passwords and OpenID

September 20th 2008

It’s no surprise that someone managed to reset Sarah Palin’s password on a freebie e-mail account.  She’s a public figure and the answers to her so-called “security questions” are on the public record. It’s one thing to do personal and political e-mail on a Yahoo account but it’s DUMB to use such an account for government business when you have your very own support staff to keep that e-mail secure.

Large scale vendors like Yahoo and Google can’t help but do a bad job at authentication. This is why OpenID poses such promise - it lets us choose our authentication provider. Yes, some people will choose bad vendors. Careful people, however, get to choose safe ones. Continue Reading »

Posted under Information Security | No Comments »

“Design Patterns” for Identity Systems

September 18th 2008

These are design patterns in the Christopher Alexander sense rather than the object oriented design sense: they address the physical and network environment rather than focusing on software abstractions. The patterns were introduced in my book Authentication.

There are four patterns: local, direct, indirect, and off-line.

Continue Reading »

Posted under Information Security | No Comments »

Senator McCain and “Internet Cryptography”

September 7th 2008

In honor of the electoral season, I’m sharing an old photograph. The occasion was a visit by Senator John McCain (R-AZ) to Secure Computing in June, 1999. We discussed possible revisions to cryptographic export controls, and he posed for photos, holding a copy of Internet Cryptography, which was ‘recently published’ back then.

I don’t want to turn this into a political blog - this posting simply reports on the visit. Continue Reading »

Posted under Information Security | 1 Comment »

Password Resetting Considered Harmful - duh!

September 1st 2008

It used to be that the default password was your mother’s maiden name, your SSN, your birthdate, or something like that. Now you have to pick a password, and your ‘password recovery’ questions are based on those old stand-by questions. So you can still break in to a person’s accounts by answering those classic questions.

There have been some interesting recent reports about the use of personal questions for password resetting, and Bob Sullivan has summarized them in a recent posting.

This problem will only disappear over time, as people learn how NOT to lose security credentials. Continue Reading »

Posted under Information Security | No Comments »

« Prev - Next »