[thelist] hashing stored passwords (revisited)
Gary McPherson
genyus at ingenyus.net
Thu Jun 26 07:07:30 CDT 2003
> It really depends on what you're trying to protect. If I have
> access to the user's mailbox, but not the password in
> question, then I could initiate a password reset, and get
> access to the new, random, password. I wouldn't be able to do
> that with a "challenge question: secret answer" type system.
>
> I'm pretty sure I've written this before: Authentication
> depends on something the user has (eg smartcard) or something
> user knows (eg password) or a combination of both (eg ATM
> card + PIN). If you rely on "something the user knows" and
> they forget it, then setting things up again is a problem.
>
> You need some alternate way of authenticating the user. You
> might rely on the fact that only the user should have access
> to their mailbox. Or you might force them to come up to the
> IT Helpdesk and have a support person reset their password.
>
> Secrets and Lies: Digital Security in a Networked World, by
> Bruce Schneier is worth reading (4 1/2 stars at amazon.com)
Good point, Ken. So, how about presenting the challenge question when
the user returns and is forced to enter a new password for themselves?
Obviously, the secret answer would be encrypted also and one assumes
that if they forget that too, then that account will become inacessible
without further communication with the site administration. Is it
acceptable to provide a fixed security question (e.g. "mother's maiden
name") or is it more sensible to allow from a range of options as some
sites do nowadays? This is a community-type site, so there is no
sensitive information available beyond contact details and access to the
member's personal page, so I don't want to make the security process too
overbearing.
Gary
More information about the thelist
mailing list