[colug-432] Memorizing Unique Passwords

Chris Spackman chris at osugisakae.com
Sun Oct 4 10:02:30 EDT 2015


On 2015/09/21 at 01:06pm, Rick Hornsby wrote:
 
> Wired takes the argument to a different level, even if the general
> idea isn't new.  Basically, passwords need to go the way of Flash
> and die.  Instead of diving into the math of brute force attacks
> directly on the password itself, he spends most of the article
> exploring avenues around your password.

> http://www.wired.com/2012/11/ff-mat-honan-password-hacker/

The problem is that it often isn't the fault of the password - the
article actually makes that clear: the author had fairly strong
passwords and his accounts were taken over in other ways. It is a long
article, and I may have missed / forgotten something, but it doesn't
seem that his passwords were the problem.

Quote from article:

   My Apple, Twitter, and Gmail passwords were all robust—seven, 10,
   and 19 characters, respectively, all alphanumeric, some with
   symbols thrown in as well—but the three accounts were linked, so
   once the hackers had conned their way into one, they had them all.

1) The attacker conned his way into one account.

2) The accounts were linked, so access to one gave access to all three

I don't see how an alternative log in system (such as the android
screen lock or selecting a number of pictures) would have prevented
the bad guy from getting access to the accounts when the bad guy is
getting access courtesy of customer service.

The real lesson of that article (to my mind) is:

1) don't link accounts

2) customer service needs to default to not allowing access. One
   correct guess after 20 tries across 4 different questions is not
   proof that the caller is the real owner of the account.

3) use 2-factor authentication

4) unrelated to article but still important: use a password manager

As Rick says, "[the author] spends most of the article exploring
avenues around your passwords." Any avenue around a password will
likely also be an avenue around most other log-in systems.

-- 
Chris Spackman

GNU Terry Pratchett




More information about the colug-432 mailing list