There’s another problem with passwords which deserves its own post: what do you do when you forget one? It’s bound to happen, right? With so many passwords floating around in our heads, we inevitably forget one entirely or forget which password goes with which account.
Sites can’t just tell you to get lost when you can’t remember, so they need a Plan B to authenticate that it’s really you, and not some attacker. Now, if you have an existing relationship with the entity you’re trying to reset your password, it makes it much easier. If I forget my login password at work, I walk down to IT and either talk to someone in there that knows me, or show somebody my ID card. They reset my password, and I’m off to the races.
But most sites on the internet don’t know me and haven’t issued me any kind of physical token I can use to prove that I’m me. So, they punt. They fall back on one of two methods: security questions, which are the slow-pitch softballs of the security world, or they simply pass the buck to somebody else to authenticate you, namely, your email provider.
Security questions are basically another form of password; information which is nominally secret, but much easier for you to remember. The age-old bank security question of your mother’s maiden name, or the name of your first pet, or your elementary school. Because these are usually questions about your past, they’re easy to remember, but also very easy for an attacker to guess or find out the answers. The well publicised break-in on VP candidate Sarah Palin’s Yahoo Email account provides a good example of why security questions aren’t really secure at all, if the alleged first person account of the break-in is to be believed:
The intrusion, according to this account, was carried out via Yahoo’s password reset feature. Though the original post has been deleted, it was copied and reposted to several other blogs.
In the post’s telling, the exploit took no more than 45 minutes and simply required searching the Internet for basic personal information, such as Palin’s zip code, birth date, and where she had met her husband.
Of course, being a VP candidate is sure to have made it easier to find the biographical information required for this attack, but the point is that the answers to security questions aren’t usually well kept secrets, and enough digging by a determined attacker can punch right through them.
Many sites forgo questions and use the strength of your email authentication. They send you an email with a temporary password, or a code to enter to be able to create a new password. This means that your email account should be the most sacred of all your passwords—strong, unique, and changed often—because if it is compromised an attacker will have “the keys to the kingdom” of many of your other accounts. Of course, this style of authentication doesn’t help email providers like Yahoo!, Gmail, or MSN/Hotmail.
And, in this respect, Information Cards are no better. They can be lost in a computer crash, accidentally deleted, or not transferred to a new computer. This means that sites that use them still need to punt on security in exactly the same way. There are such things a “managed information cards,” which are issued and secured by a trusted third party. If the user has an existing relationship with the third party (their employer, for example), they can be reissued access in a more secure way. But this is really no different than resetting a site password via your work email account (on which you can gain access securely). In both cases you and the site agree that if you lose your credentials, then you both should trust your employer to securely deliver you new ones.