Macworld Forums

Macworld Forums: When password security questions aren't secure - Macworld Forums

Jump to content

  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

When password security questions aren't secure

#1 User is offline   Macworld 

  • Story Poster
  • Group: MW Bot
  • Posts: 34,402
  • Joined: 30-November 07

Posted 29 November 2012 - 03:30 AM

Post your comments for When password security questions aren't secure here
0

#2 User is offline   lkrndu 

  • Member
  • PipPip
  • Group: Members
  • Posts: 70
  • Joined: 24-June 08

  Posted 29 November 2012 - 04:01 AM

These recent articles about account security and passwords have all be informative and thought-provoking.

So there is one thought that seems missing, although a version of this did appear in one or more of the same articles. That is, to store long, strong passwords in an encrypted file on an (encrypted) USB drive you carry with you . . . like one more house or vehicle key.

The password for THAT encrypted file might be written down and carried with the same care as house keys and credit cards, or might not.

The thought comes to mind, suppose that encryption key were something odd, brief, and readily memorable for you. Not un-hackable but enough to at least slow down a malefactor who found your lost USB key; you'd have time to change the passwords on your affected accounts. Might even keep a spare set of keys -- USB drives -- somewhere safe, too.

So there's an idea I haven't seen brought up as much as it might merit.

And one question, what's the take on keeping a copy of the password file, strongly encrypted, in cloud storage where you could retrieve it in case of need?
2

#3 User is offline   spanky 

  • Member
  • PipPip
  • Group: Members
  • Posts: 72
  • Joined: 04-December 09

  Posted 29 November 2012 - 06:10 AM

A program like 1password really makes answering these questions secure. You can have it generate passwords like n$F^O>=g|07-62q^#X as the answer to your mother's maiden name. When people put the real answers in, it detracts from the ability to keep information secure.
1

#4 User is offline   TeaEarleGreyHot 

  • Veteran
  • Group: Macworld Insiders
  • Posts: 1,425
  • Joined: 29-September 05

  Posted 29 November 2012 - 08:15 AM

Something I'd like to see addressed more thoroughly is the frequency with which some institutions require you to change your password. My bank used to require it quarterly, and I guess I wasn't the only customer who threatened to close their account because of that nonsense. My employer requires me to change the password every eight weeks--even more foolish--and won't let me use a password that has been used in the last 18 changes.
0

#5 User is offline   bastion 

  • Power User
  • PipPipPipPip
  • Group: Members
  • Posts: 9,272
  • Joined: 14-October 04

Posted 29 November 2012 - 08:54 AM

View PostTeaEarleGreyHot, on 29 November 2012 - 08:15 AM, said:

Something I'd like to see addressed more thoroughly is the frequency with which some institutions require you to change your password. My bank used to require it quarterly, and I guess I wasn't the only customer who threatened to close their account because of that nonsense. My employer requires me to change the password every eight weeks--even more foolish--and won't let me use a password that has been used in the last 18 changes.


Security and convenience are almost necessarily at odds.
1

#6 User is offline   macsrwe 

  • Member
  • PipPip
  • Group: Members
  • Posts: 25
  • Joined: 01-May 08

  Posted 29 November 2012 - 09:56 AM

Quote

Security and convenience are almost necessarily at odds.


Any security that rejects the true owner more often than the potential burglar is over-engineered. The "lost password dance" is an inherently insecure interlude, and forcing a true owner to perform it several times a year not only reduces his account security, but helps mask attempts by potential burglars by allowing them to hide in the noise. I don't know anybody who changes their physical door locks even annually.
3

#7 User is offline   PwdRsch 

  • Newbie
  • Pip
  • Group: New Members
  • Posts: 3
  • Joined: 29-November 12

  Posted 29 November 2012 - 10:14 AM

Quote

My employer requires me to change the password every eight weeks--even more foolish--and won't let me use a password that has been used in the last 18 changes.


How often to change passwords is certainly debatable, but why are you complaining that you can't use one of your previous 18 passwords? Maybe you weren't happy about the forced password change, but surely you can see the danger in using a password over again?
0

#8 User is offline   PwdRsch 

  • Newbie
  • Pip
  • Group: New Members
  • Posts: 3
  • Joined: 29-November 12

  Posted 29 November 2012 - 10:30 AM

Quote

Security and convenience are almost necessarily at odds. Any security that rejects the true owner more often than the potential burglar is over-engineered.


As a general rule that sounds nice, but in practice it isn't true at all. A legitimate user might experience authentication problems (password typos) several times a week. We don't throw in the towel and say we're getting rid of passwords because an attacker can make educated guesses and impersonate that user with fewer failures.

Quote

The "lost password dance" is an inherently insecure interlude, and forcing a true owner to perform it several times a year not only reduces his account security, but helps mask attempts by potential burglars by allowing them to hide in the noise. I don't know anybody who changes their physical door locks even annually.


This analogy would make sense if everyone around the globe had access to your door and could attempt to pick the lock while drawing little attention to themselves.

How do you see user-triggered password recovery as an 'inherently insecure interlude'? If the password recovery function is insecure then that is true whether the user makes use of it or not. Most of the time an attacker will attack it directly rather than waiting for a user to forget their password.
1

#9 User is offline   alanskyone 

  • Member
  • PipPip
  • Group: Members
  • Posts: 51
  • Joined: 24-July 12

  Posted 29 November 2012 - 10:46 AM

Personally, I think that I am more likely to be hit by a falling asteroid than to have my personal accounts hacked. Why would anyone with the necessary skills bother to hack a single user account when they can hack databases containing longin info for millions of accounts? It seems to me that the latter scenario is much more likely. If BofA's database is hacked and I have a BofA online account, my BofA login is compromised no matter what else I might have done to make it secure. If I have used the same password for other online accounts, then all of those accounts are also compromised.
2

#10 User is offline   Deandre012 

  • Newbie
  • Pip
  • Group: New Members
  • Posts: 2
  • Joined: 29-November 12

  Posted 29 November 2012 - 02:41 PM

I personally use SplashData's SplashID Safe to generate strong passwords. In this case, I don't need to devise any scheme to remember my passwords. The application's unlock password or pattern is the only thing to remember. Try it. Highly recommended.
0

#11 User is offline   TeaEarleGreyHot 

  • Veteran
  • Group: Macworld Insiders
  • Posts: 1,425
  • Joined: 29-September 05

Posted 29 November 2012 - 03:29 PM

View PostDeandre012, on 29 November 2012 - 02:41 PM, said:

I personally use SplashData's SplashID Safe to generate strong passwords. In this case, I don't need to devise any scheme to remember my passwords. The application's unlock password or pattern is the only thing to remember. Try it. Highly recommended.

That's great if you're always using your own laptop for passwords. But I have to use multiple computers, multiple devices. I can't even update the OS X on my work Mac without having an AppleID, password, and my personal credit card registered! It seems to me that power is being taken out of the user's hands and being put back into the "IT Support" hands, very clearly. My employer might give a credit card number to the IT guy, but certainly not to the thousands of employees. Apple has made everything much more difficult in the past 2 years... for me at least.

But some of us travel, use public computers or friend's computers or have multiple work locations. We can't keep all our passwords on one machine. It just doesn't work.

This post has been edited by TeaEarleGreyHot: 29 November 2012 - 03:30 PM

0

#12 User is offline   GeorgeBridges 

  • Member
  • PipPip
  • Group: Members
  • Posts: 358
  • Joined: 17-August 01

  Posted 29 November 2012 - 05:20 PM

The only problem with all this advice is that those of us who are getting older are having significant memory problems and we don't always have helpful friends or family members who can help. Sometimes simplicity is our only option.
0

#13 User is offline   compudude 

  • Newbie
  • Pip
  • Group: New Members
  • Posts: 3
  • Joined: 19-August 11

  Posted 29 November 2012 - 07:33 PM

Quote

Deandre012 said
I personally use SplashData's SplashID Safe to generate strong passwords. In this case, I don't need to devise any scheme to remember my passwords. The application's unlock password or pattern is the only thing to remember. Try it. Highly recommended. That's great if you're always using your own laptop for passwords. But I have to use multiple computers, multiple devices. I can't even update the OS X on my work Mac without having an AppleID, password, and my personal credit card registered! It seems to me that power is being taken out of the user's hands and being put back into the "IT Support" hands, very clearly. My employer might give a credit card number to the IT guy, but certainly not to the thousands of employees. Apple has made everything much more difficult in the past 2 years... for me at least. But some of us travel, use public computers or friend's computers or have multiple work locations. We can't keep all our passwords on one machine. It just doesn't work.

You don't need to, with a product like 1password. It has versions that run on Mac, Windows, iPhones, iPads, and Android... and it stores it's super-encrypted password database on DropBox, so all of those devices are kept in sync. It's not the cheapest solution out there, but it's the most flexible and most powerful I've seen by far.
1

#14 User is offline   jimcintosh 

  • Newbie
  • Pip
  • Group: Members
  • Posts: 6
  • Joined: 12-February 08

  Posted 30 November 2012 - 06:08 AM

Rather than go through the bother of inventing a fake past history or saying that your mother's maiden name was E27jrdU!8, just use the real answer and append a digit or number to the end of it. If you append a "5" or "X" to every answer, you'll remember it and no hacker will guess it. Smithz is just as secure as the unmemorizable E27jrdU!8.
0

Share this topic:


  • (3 Pages)
  • +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users