How safe is your password: Sarah?

People are very poorly educated regarding the use of computers and also of the interent, and their personal security. Ideally a password should be as random as possible, not a real word and use a mix of letters, case, numbers and special characters and the longer the better. However thats often impossible to remember. Also people should be wary of photos and personal information they post the web. Even on forums like this, you can build a profile pretty easily.
 
monkey, password, qwerty, abc123, password1...

The problem is that there are far too many things that now require a password. You can use the same one, because an admin of one site now has your password for all your other stuff.

A problem indeed.
 
You need a system tbh. Something that gives you a different password for each system, but still easy to remember. The problem with that is if someone breaks your system they have the password to everything. The alternative is to use a password manager to generate passwords and remember them for you.
 
You're thinking too hard about it. Its only looking for word. It doesn't know that "88Cl@rKent*^G88" wasn't actually your teacher name. At the end of the day its just a password. It doesn't matter what it is.
 
Perhaps Im thinking about it too hard...

But the original article concerned the "forget your password feature" or "password recovery feature". So it doesnt matter how secure your password is if someelse can utilise the fyp feature and "recover" it.

Here is an excerpt from the hacker who used this to get into Sarah Palin's yahoo account.

The fundamental flaw of pretty much every password recovery feature I've found online is that what they consider "secret" information actually isn't thanks to social networking, blogs and even Wikipedia. Yahoo! Mail password recovery relies on asking you your date of birth, zip code and country of residence as a proof of identity. Considering that this is the kind of information that is on the average Facebook profile or MySpace page, it seems ludicrous that this is all that stops someone from stealing your identity online.
Even the sites that try to be secure by asking more personal questions such as "the name of your childhood pet" or "where you met your spouse" fail because people often write about their childhood pets and and tell stories about how they met http://search.live.com/results.aspx?q=wedding+"how+we+met"&go=&form=QBRE on weddings sites all over the Web.
Web developers need start considering whether it isn't time to put password recovery features based on asking personal questions to pasture. I wonder how many more high profile account hijackings it will take before this becomes as abhorred a practice as emailing users their forgotten passwords (you know why this is wrong right?)
Click to expand...


btw does anyone know why the practice of emailing users their forgotten passwords is wrong/abhorred?


aj
 
ajapale said:
Perhaps Im thinking about it too hard...

But the original article concerned the "forget your password feature" or "password recovery feature". So it doesnt matter how secure your password is if someelse can utilise the fyp feature and "recover" it.

Here is an excerpt from the hacker who used this to get into Sarah Palin's yahoo account.




btw does anyone know why the practice of emailing users their forgotten passwords is wrong/abhorred?


aj
Click to expand...
I think the point thsat aircorpa was making was that if Sarah Palin had said she'd gone to Bannana Sponge Hat 3456 High School and that she'd met her huband at 45$% Fght qwerty poiuyt Street it wouldn't matter what anyone read about her in Wikipedia or elsewhere the passwords wouldn't be found there. When hotmail etc asks you your favourite colour and you answer Tuesday it isn't going to tell you that Tuesday isn't a colour - but you'll have to remember the answer you've given
 
Maybe I'm not explaining myself very well. If you make up the answers, with fake answers, no one can look them up because they aren't real.

date of birth, 29/02/2008 (thats not my dob)
zip code D.1 (not my zip code)
country of residence togo (I don't live in togo)
pet mickey mouse (I've never had a pet).

So just like the rules for a secure password, you can apply the same principle to these questions.

pet "88Cl@rKent*^G88"
teacher "88Cl@rKent*^G88"

To the computer its just a piece of text or a number. It has no way of knowing if its real or not.

I suppose the problem with emailing passwords is that email itself often isn't that secure. So if you crack someones email you can often can then use that to get the password for other things.

On the flip side, theres few alternatives that are as easy to administer. Usually security is a balance between whats secure and whats practical to use. If you have lots of users to support you can't be resetting passwords all day, or make a system so complex that no one can remember their password. They'll just write it down.
 
FredBloggs said:
I think the point thsat aircorpa was making was that if Sarah Palin had said she'd gone to Bannana Sponge Hat 3456 High School and that she'd met her huband at 45$% Fght qwerty poiuyt Street it wouldn't matter what anyone read about her in Wikipedia or elsewhere the passwords wouldn't be found there. When hotmail etc asks you your favourite colour and you answer Tuesday it isn't going to tell you that Tuesday isn't a colour - but you'll have to remember the answer you've given
Click to expand...

I wish I'd said it that clearly. Thanks

It like having a fake alter ego for web use.
 
Maybe I'm not explaining myself very well. If you make up the answers, with fake answers, no one can look them up because they aren't real.
Click to expand...
Do you not have to remember the fake answers you gave? - if you can remember these, then surely you can remember your password. In other words, you are back to square one.
 
leghorn said:
Do you not have to remember the fake answers you gave? - if you can remember these, then surely you can remember your password. In other words, you are back to square one.
Click to expand...

Well yes. But you have to enter this information to register, so you can't avoid it. Usually you reset your password when you get to these screens. While your alter ego detail may be the same, you should have different passwords for different sites and these often expire and require changing on a regular basis.

Using fake info would have limited the damage caused in the Sarah Palin example.
 
But if you use fake information then should you want to use the recover password option it is un likely that you would remember your fake answers.

Some sites allow you set your own secruity question. This form of password recovery is a little more rubust than they Pailin example.
 
ajapale said:
does anyone know why the practice of emailing users their forgotten passwords is wrong/abhorred?
Click to expand...

Websites shouldn't store your actual password, they perform a mathmatical function that is easy to do but almost impossible to reverse. For example, you create an AAM account with a password: password. The server converts it into a1f9ccd4....ff23 and stores that. Every time you log it, it converts the password you give it and compares it to the stored one. If someone hacks the server, they can't get any passwords because they're not stored.

Because they don't know your password, they can't mail it to you so they generate a new one and mail that to you.

Does that make sense?
 
ajapale said:
But if you use fake information then should you want to use the recover password option it is un likely that you would remember your fake answers.
Click to expand...

Well its debatable. I might have one set of fake information I use but about 20+ or more passwords from different sites to remember. At work the password changes every month, so over 4 years I've had 48 passwords just to logon to my PC. Usually you can't use the same password twice.

One place I worked used to test the password over 24hrs and if it wasn't strong enough and it could crack it, the system made you pick another one. Password has to be longer than 8 characters, mix of letters, different case, numbers, special charachters, and not a word in the dictionary.

ajapale said:
Some sites allow you set your own secruity question. This form of password recovery is a little more rubust than they Pailin example.
Click to expand...

Theres a lot of variation between sites. Thats for sure.

But effectively if you don't use expected words, for example favorite colour = seven then you're effectively setting your own question anyway.

People need to take security seriously.
 
You must log in or register to reply here.
Back
Top