Hugh McIntyre wrote: > Personally I hate sites that do this. Is there any chance of a "reset > password and email the new value to the email address on record" policy > instead, as several other sites use?
I don't like it much myself, but mailing out passwords in cleartext is horrendously insecure. And in any case, we don't store the passwords in cleartext, they are hashed before they are stored. We can't mail them out even if we wanted to. > In part, most of the questions below (and as used on other sites) are > pretty clearly subject to dictionary attacks, which is not very secure. > For example, for "make of first car", an attacker would presumably > just need to try "Ford, Toyota, Honda, ...". Of the list below, only > the "registration number of first car" really seems immune to > dictionaries, and even it could be guessed in several cases by someone > who knows the victim especially if, as Shawn suggested, they still have > the car. That's why it's 'make and model' not just 'make'. These security questions are always a bit of a compromise between being reasonable for people to remember, and strength. They aren't the *only* security measure on a password reset, and you are going to have to provide answers to at least two of them. > If forced to choose, at least the "town/city name" questions allow > someone to use a hard-to-guess local district name rather than "London". > But equally, if your resume is posted somewhere online then it's easy > for someone to guess where someone's first job is. Again, I agree that each individual question isn't incredibly strong, but they aren't the only security measure that is used, there are several layers. To ask for a password reset you will have to answer a captcha, and your account will be set to a state where you can't log in any more. A time-limited reset token will be sent to your registered email address. When you click on the token you'll have to answer two security questions. If you get the questions wrong more than a given number of times the account will be permanently locked. If you answer the questions correctly you'll be allowed to set a new password. > PS: I guess if you email the new password rather than displaying it on > screen then you get better security. But in that case the question > could reduce to "Do you want your password reset and then emailed?", > answer = "Yes". Actually, you get *worse* security if you email it. If you display stuff in a browser you can send it via HTTPS, and it has a limited lifespan. Nearly all mail is in plaintext, and tends to stay in an inbox for a significant amount of time. Yes I know about PGP, but not that many people use it. -- Alan Burlison -- _______________________________________________ website-discuss mailing list [email protected]
