Because I'm all about the "good enough."

Wednesday, August 15, 2012

The OTHER problem with passwords.

There are some sites that I use very rarely, and I can never remember what I used for a password there.  But it doesn't matter, because honestly, the reset procedure is less onerous than trying a few passwords and risking getting locked out.  So I just don't bother: I put in a crazy strong password, forget about it, and when I come back to the site I just ask for a reset.  In many cases there aren't even security questions to answer; I just get a new password mailed to my address of record.  In the case of one site where they wanted me to change the password every 90 days, I did this dance every 90 days.

Yes, yes, I know, password manager.  But most of the public doesn't use one. And site designers know it.  Any site feature that makes it harder for a non-technical user to do a password reset causes that user to email or call the support desk, and every use of the support desk (as in actual humans) costs money.  So organizations are motivated to prioritize ease of use over security, if they feel their target audience won't be able to use more advanced features without support.  The end result is that the password reset process to an address of record is the easiest way to get into an account.

And of course attackers know this too: this is why many publicized breaches today started with the password reset.  If it's a simple enough process, getting into an account is no longer "something you know;" it's "something you have," as in control of the email address.  If you've broken into the address of record, you can collect password resets from as many sites as you can find without having to do any more homework. 

The next level up in attacking an account is to add a new email address of record that you control, which often requires social engineering of the support desk.  But support people are incentivized to help the helpless, which tends to make the process easier.  And as Mat Honan found out, the types of security verification data that support desks use can often be found out with a little Google action (and in his case, the clever use of an Apple process loophole).  This is why I've never liked the use of the last four SSN digits as an identifier; they're even more widely used than the whole SSN these days, and they're used for everything, including utility and phone service accounts. It's arguably less secure than a site-specific PIN.

Make no mistake: designing identity and access management while balancing cost and security is hard.  You can't control the biggest factor, which is the level of expertise for your users (particularly if they're all external to your organization).  With each of these breaches, we're learning more about what works and what doesn't in these designs.  But there's still a lot of risk out there.