total.pardo

…the synergy of all things civilized

yeah, a fundamental flaw

Comments

fta@

http://tiny.cc/4AiV1

The fundamental flaw of pretty much every password recovery feature I’ve found online is that what they consider “secret” information actually isn’t thanks to social networking, blogs and even Wikipedia. Yahoo! Mail password recovery relies on asking you your date of birth, zip code and country of residence as a proof of identity. Considering that this is the kind of information that is on the average Facebook profile or MySpace page, it seems ludicrous that this is all that stops someone from stealing your identity online.

the author posits:

Web developers need start considering whether it isn’t time to put password recovery features based on asking personal questions to pasture.

while i agree with this level of genius in principle, wouldn’t it be simpler if people were more socially aware while online?  any self respecting system/network admin knows the crumbs of information left online are completely and fully available to everyone with enough understanding and time to spend finding and fitting them together will have some measure of success cracking human friendly systems to retrieve passwords.

i love the credit card companies with their “mother’s maiden name” for an account password.  that’s rich.  as if i would ever give the real name as the code word.  i have a word assigned that no one can guess via social engineering.  “favorite pet” is another nugget of ridiculousness that is easy to avoid.  yes, people blog about pets, yes it is “easy” to figure out.  but you don’t have to use the exact word/name for the answer.  you could make up a name for use in that field – the name foils any attempt to guess it.

non obvious relationship awareness is the key to the hacker’s success – be it through algorithms that cull over electronic data or information developed through social engineering.

the key to thwarting NORA and social engineering is to go off the grid with your password choices.  randomness.  complete nonsense. nothing that can be derived from my past, present – nothing that can be guessed – including my past use of a random repeating pattern of nonsense.

if you are able to guess my passwords, the shame is not on the developers.  the shame is on me.

Written by pardo

September 20th, 2008 at 4:46 pm

Posted in ideas, life.stream

Tagged with ,

« avast, matey! dere be fifteen men on the dead man’s chest!
littoral »