Bruce mentions : "Passwords have reached the end of their useful life. Today, they only work for low-security applications. The secret question is just one manifestation of that fact."
I guess he means we all ought to be using encrypted key pairs and the like instead, or some other system not involving anything as guessable as a text word.
This has always been pretty evident to me ever since I opened a Hotmail account 10 years ago. I always pick either questions only I really know the answer to or choose answers that are slightly misleading.
The only downfall is that sometimes I forget the answers, but I eventually get them right. :)
I read a tip, I don't remember where anymore sadly, about taking a key word from the question, adding some password-like string to it and calling that your answer.
So: "What is your pet's name?" n0tm4hp4s5w3rd-pets-name
and: "What street did you grow up on?" n0tm4hp4s5w3rd-street
You still have to remember an arbitrary string, it is SLIGHTLY more accessible than mashing randomly, and certainly more secure than putting the real answer.
There's an easy solution: "Your password reset information has been sent to the e-mail account used to register the account. Follow the instructions in the e-mail to restore access."
At some point users are responsible for their password info. If it's their only e-mail account, hopefully they use it regularly enough that they don't forget.
Password Reset is one of the best reasons to embrace OpenID. While there are many lesser reasons and even some against using it, the weakness of password resets (as demonstrated in the Palin email crack) scream for the adoption of some sort of decentralized, user-in-control authentication mechanism. When you only have one password and you use it everywhere, you have no reason whatsoever to lose it, and therefore no reason to need a silly password reset feature.
On the same token, if your password were to ever get in the wrong hands, you'd be pretty much fucked, no?
Keyloggers, seeing the password written down somewhere visible, or even having someone convince you to tell them the password (social hacking) are all very simple ways to get access to someone's account. These are all pretty stock-standard ways to get a standard web users password.
It's kind of like moving all your money from different dodgy international banks to one bank, and then having that bank robbed.
This isn't exactly 'The problem' but it certainly is 'A major problem'. I was expecting 'The problem' to be password resets being sent to email accounts.
We're always going to have to compromise between security and convenience. Someone in the public eye should probably have been well over towards security already. It will be interesting over the next few years to see how big an effect this has on the average member of the public.
This is actually a really, really big problem if you talk to most internet users. Account recovery ranks as one of the bigger pain points, because most people aren't used to quickly switching between tabs, copying and pasting, etc.
I have a feeling that we've yet to see the best practices for account recovery emerge.
http://www.schneier.com/blog/archives/2005/02/the_curse_of_t...