I previously ranted about strange password restrictions that disallow usage of special characters such as spaces or alphanumerics. This time I want to complain about another boneheaded security feature out there – word length restrictions on your “secret” password recovery question. I was recently creating a Microsoft Live Passport account to register Visual Studio Express 2008 copy. Yeah, laugh all you want but PerfMonG is written in C# and it won’t maintain itself no matter how hard I try to ignore it. At some point during registration I saw this:
click on the image to embiggen
Don’t get me wrong. I’m all for keeping things more secure, but restricting the secret answer to strings of more than 5 characters is a bit silly. For starters, let’s consider pet names. I don’t know about you, but I find that most of them are relatively short. For example I did a quick google search of most popular dog names and I stumbled upon this ranking:
It turns out that half of the top 10 most popular dog names are shorter than 5 characters. If you look down that list, this trend continues. So roughly half the people won’t be able to use their pet name as their secret question, or will have to figure out a way to make it longer (for example by adding their last name) by simply adding confusion. Same goes for the childhood friend option. You may remember that your best buddy from the playground was named Bob, but will you always remember his last name was Szczebrzeszyński? Will you remember how you spell it? Hell, if on top of all this the place of your birth is Ido, Japan then you are totally fucked.
Now you are forced to make up answers – ones that you won’t remember 3 years from now when you need to recover your password making them absolutely useless. This minimum length limit is silly, because these hints are not really designed to be secure. Anyone can find out the name of my first pet, or the birthplace of my mother. It’s really not a secret, and it can easily come up in a casual conversation. The whole point of them is to provide another layer of protection for your account so that the attacker has to have both the secret answer, and access to the email account you used to open the service. Brute forcing the secret answer should not be a concern, because they’d be incredibly vulnerable to dictionary attacks anyway.
So why won’t you let us to use answers that are as short, or as long as we like or stop using them altogether. Otherwise it is just counter productive as people won’t be able to remember what they typed in to pad their answers to meet your arbitrary minimum length limit.
[tags]minimum lenght limit, secret answer, secret question, password recovery[/tags]
I was forced to change my password at work a week or so ago and ran into a bit of “fun.” It took me a LONG time to come up with something acceptable, because I kept triggering various problems. qpRY!@12 failed because “@” is not allowed. fiancmpa!1 did not work, because it contains my first name (even though it stood for “f***, I am not changing my password again”). QW1!qw1! failed because of repetition. tisfrIHTC$$5 failed for not meeting all of the rules in the first eight characters (letter, number, special character). Eventually I got one that passed and of course instantly forgot it. It’s a lot like meeting 50 people and being expected to remember their names; I came up with dozens and dozens of passwords and eventually they stopped being significant.
When I had to log in again several hours later, I couldn’t quite remember my password. I tried many variations on what I thought was my most recent theme but could not figure it out (so, how does forcing a user to reset his/her password every few months make the site more secure if you allow infinite tries to guess the password?). I opted to go with the forgotten password process. The link sent me to the exact same form (well, an uglier version), so I had to click another forgotten password link and then my security questions came up.
“What was your first elementary school?” or something like that was one of the few that showed. Great, was it “blahblah,” “blahblah elementary,” “blahblah elementary school,” or…? So I ended up learning that you can lock your account by guessing at these questions, but not the actual password…
I was curious to see how they would handle a password reset over the phone (can’t exactly just tell anyone what the new password is for an account, shouldn’t really use email to send it since that isn’t secure and those poor souls who actually use the campus email system instead of forwarding it would not even be able to access their email anyway. etc.). The lady asked for my username and then unlocked the account. Then she let me know about this other “secret” method of logging in where you type a keyword instead of your username. That takes you to a screen where you enter the username and your PIN, which is used for another system. It was mildly funny, because the pin is a restricted field of just a few numbers… and I have only had to change my pin one time in the three years I’ve been there…
Funny but my school works in a very similar way. We have this thing called NetID – which is a single login that works for all school services. You use it for the email, for Blackboard, for the online storage, student downloads – hell, you even use it to register your laptop on the wifi network.
How do you change your password? You type in your student id # (which is printed on your student id card) and your 6 digit numeric pin #. The pin is by default set to your date of birth (mmddyy). Yay for security.
Also, some of the school services do not use SSL which means your password is sent in plain text part of the time. :P
Same here, Luke.
Login name is user id. It is not printed on id card, but is used as cn on ldap server, and as uid for most listings (class list, grades, and so on). And password by default is date of birth ddmmyyyy. Can we consider it more secure for using four digit year? :-)
I remember a few years ago having to do maintenance work in a couple of servers for a major phone company. Root pasword for both servers was “changeme”.
[quote post=”2548″]I remember a few years ago having to do maintenance work in a couple of servers for a major phone company. Root pasword for both servers was “changeme”. [/quote]
LOL! Well, at least it was not “password” I guess.