Password Reset Mechanisms: The Online Security Threat Nobody’s Talking About

By Daniel Miessler on August 25th, 2009: Tagged as Information Security | OpenID | Technology

securitylock

Humans are notoriously poor at weighing risk. We use emotion, rather than reason, to judge what’s truly dangerous, which is why most Americans being afraid of handguns in the home more than swimming pools when it comes to child safety.

And it’s the same with online security. People worry about scary hackers penetrating through firewalls and stealing passwords for websites they use, but the reality–just like with swimming pools–is usually much more mundane (and dangerous).

The Real Threat

Most people–and I dare say even most security professionals–don’t realize that the greatest vulnerability to online account security doesn’t come from having multiple passwords spread out over many sites, or even from proposed identity consolidation systems like OpenID. It actually comes from the mother of all single points of failure–the email-based password reset mechanism.

Systems like OpenID are potential points of failure, for some subset of online users, at some point in the future. Email, on the other hand, is a single point of failure for almost everyone–right now.

Think about it: when you forget your password, how do you reset it for the majority of the sites you use? Right, email. That means that the way into virtually all those different websites is through your email account. In other words, the single most important password you have is the password to your email account.

The Mother of All Backdoors

Unfortunately, gaping holes exist in our current online password security systems–including those on email accounts. The hole comes in the form of question-answer reset systems, whereby you are asked some questions like, “What’s the name of your favorite pet?”, or “What was the name of your first High School?” in order to reset your password. These systems constitute a major weakness in online security for the simple reason that guessing these answers is often much easier than guessing your actual password.

So the bottom line is that if someone can backdoor your email account through a weak reset mechanism, they will then own your single point of failure for all your other online accounts. This is the swimming pool of online attacks because it yields way more passwords per year than super-hackers, but it gets far less attention.

So What Can We Do?

keylock

Here are the things you can do immediately to improve your online security posture:

  1. Go, right now, and change your email password. Make it as complex as possible and don’t use a scheme or pattern that you’ve used in the past. Make it around 8 characters (you get diminishing returns beyond that) and make sure to use upper-case, lower-case, numbers, and at least one special character.

  2. Modify your password reset questions and answers for your email account (if you have them). If you have the option, create your own questions, and use answers that only you would know. Don’t be like Sarah Palin (solid advice on a number of levels) and use something that can be looked up (she got her email hacked by using her High School name). If you’re forced to use canned questions, be tricky: consider answering “Friday” for favorite food, or “7129″ for your favorite pet’s name.

  3. Sign up for an OpenID account. I suggest PIP from VerisignLabs because they offer a number of two-factor options (I use their soft token). Make this password a good one, and don’t base it off of any patterns you’ve used in the past. Pay special attention to your reset mechanisms (see numbers 1 and 2), and enable the two-factor option if at all possible. Enable the requirement on your OpenID account (PIP) to require that you be signed in before the incoming authentication request be granted.

  4. For your sensitive accounts (I’d say this includes social networking sites in most cases) use your OpenID account wherever you can. And where you do, be sure to change your local, website-based password (which you’ll be mapping your OpenID to) to something complex. Consider using a password-generator tool for generating and managing those passwords–something like 1Password or Password Safe. You hopefully won’t have to use them much, as you’ll be using your OpenID in most cases.

These four things should enhance your online security significantly, and doing just the first two will get you a solid measure of the benefits. In an upcoming article I’ll be looking at some of the password reset mechanisms used by major services, and evaluating the strength of each. ::

Links

[ OpenID | openid.net ]

  • Digg
  • Reddit
  • HackerNews
  • StumbleUpon
  • DZone
  • Google Bookmarks
  • Twitter
  • Facebook
  • del.icio.us
  • FriendFeed
  • Posterous
  • RSS
  • email
  

Comments

  • Maxo
    I've been using password safe at work and MyPasswordSafe at home (for Linux.) I even got my coworkers to store our group passwords (like database stuff) in a PasswordSafe file, where they where looking to store them in a text file.
  • Yeah, it's a pretty strong offering. Beats the hell out of the "secret" text file shared by dozens of people.
blog comments powered by Disqus

Twitter Microblog

twitter_icon      facebook_icon

Sample Original Content


Information Security

Tutorials and Primers

Culture & Society

Technology & Science

Politics

Philosophy & Religion

Miscellaneous

Tools & Projects


Blog Archives