Friday, October 31, 2014

Having Fun with Password Self-Rest Mechanisms

You know what makes me crazy? Security people who don't understand how crappy attempts to push security policy actually drive security (in the real world) lower. Sometimes, and this makes it a little bit less bad, it's not security people that are responsible but well-meaning developers, project managers, or others who simply don't understand.

The quintessential example of this phenomena is the password self-service reset functionality built into many websites. It's almost 2015 and I was forced to register for a website the other day where I can't really tell you why they needed me to set up a username and password, but I couldn't do what I needed to without that unfortunate string of events that all but guaranteed that I would be upset.

First is that nagging feeling that this site is going to get hacked, or already has been. You know the one. As a security professional (or often just someone with some sense) you pull up a website which just screams "We took zero security precautions because we know nothing about web development (while using the tag)" - and suddenly you realize you almost have to give this site some of your personal information. Lovely.

Then there's that feeling that when this site gets hacked there's very little you can do because they're going to need at least some of your info. You get through registration and you can't continue without setting up those "password self reset questions" so many sites are in-famous for. Genius questions which no one could ever find out about you like ... "Where did you go to high school?" or "What is your favorite color?" or "What is your favorite food?". Brilliant stuff like that. But sometimes they give you a choice of 5 different ones (all of which stink) and you have to pick 3. In this case I had to do this exact thing but the questions were infuriating. One of them asked for my mother's maiden name, another for my high school best friend, and another for the last 4 digits of my favorite credit card (seriously?!).

So I picked the ones that I knew were the least destructive (when spilled all over the Internets) and right before I clicked Next I thought of something. Why in the world am I giving them the real answers? I have a password manager which will remember these for me, and my password incidentally, so why not get creative?

So here's my advice to you - get creative!

Your favorite color? peanuts
Your first car? Orange
Your best friend in High School? Polar Bear

See this way when someone pillages the website's database of all that clear-text "security stuff" at least the data they steal won't be usable against you at some other website. Also, use per-website passwords. I have to be honest, at this point if you're not using a password manager with built-in password generator for even the most basic websites - you deserve what's comin' to you.

Good luck!

1 comment:

Friends of the Polar Bear said...

HEY! Polar Bear was MY best friend in HS too!
GREAT post! You've probably mentioned this in a previous post, but I'm curious about which password managers you recommend...