How not to manage lost passwords
- 22 September, 2008 10:15
- Comments
Dear Bob,
I am writing to you formally in your capacity as CEO of Metaphoronic Corporation, makers of the bioport that I had installed in my lower spinal column last year for direct neural connectivity to my Windows 2010 operating environment. It's been great, by the way: I love the way I can simply think what I want to make the system perform properly. The only problem I've had is what happens when I daydream, but let's not go there.
Today I could not sign into the Web page for the SpinalTap application that makes adjustments to the interface and could not find instructions on getting the password e-mailed to my e-mail account or on how to reset it to a temporary password and get that by e-mail, so I called your help desk to find out what to do.
The very nice agent cheerfully demonstrated that your help desk has no clue how to deal with lost passwords for SpinalTap. She:
Related Content
1) Asked me for my user ID: unacceptable because it began a phone-based process for resetting a password;
2) Asked me one of my verification questions (“What was the last name of the girl who arranged for me to step on her foot on a ski trip in 1963?”): UNACCEPTABLE because it means the authentication data are not one-way encrypted;
3) Read me my old password: UNACCEPTABLE because it means the password file is not one-way encrypted!
Normally, passwords and other authentication data are one-way encrypted: the responses to questions are encrypted and the ciphertext of the response is compared to the stored ciphertext of the correct answer; however, it is difficult (expensive, slow) in practice to regenerate the original cleartext data unambiguously from the stored ciphertext. (See my lecture on cryptography fundamentals if you like.)
Access to the authentication questions, to their answers, and to the passwords implies that the help desk agent(s) can impersonate customers at any time by logging into SpinalTap using their purloined IDs. The damage caused to your company's reputation if one of your employees were to sabotage a customer’s settings and cause serious damage – psychotic breakdown, for example, due to the impression that two-headed lizards were chewing on his left hallux – could be disastrous.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
-
Wikipedia breeds 'unwitting trust' says IT professor
-
Where does Windows Live Mail store my mail?
-
WordPress 3.0 adds better customization
-
Sony debuts 3D sound for home theaters
-
Broadband Forum to improve IPTV performance with new spec
-
Data Structures and Algorithms in C++ 2E
-
Mental Ray for Maya, 3Ds Max and Xsi
-
Excel 2007 Charts
-
C++ for Dummies, 5th Edition
-
Introduction to Programming and Object-oriented Design Using Java 2E Java 5.0 Version + WileyPlus Registration Card
-
AutoCAD 2008 for Dummies
-
Fighting Spam for Dummies
-
Introduction to Information Systems
-
ALS Security+ Certification
Comments
Post new comment