Tuesday, February 12, 2008

I'll hack your pets instead of your passwords

Ok, I give up, people are starting to use stronger passwords. Maybe not all of the time, but it is getting tougher to guess a person's password in the first three tries. So perhaps the attackers should stop trying to break into people's accounts. Or maybe, they'll just stop trying to guess the user's passwords. Don't get excited yet, the attackers are done attacking, they're just refocusing the attack. Whats the new target you ask? Password Resets Screens

Say you forget your password and click on the friendly little 'forgot my password' link. You enter in your username and are presented with some questions to validate your identity. These questions include items like what city were you born in, what is your mother's maiden name or what is your pet's name. Hold on, my pet's name? How on earth is that secure?

How many people know the name of your pet? If while talking about your pets with a coworker would you stop and think 'oh I shouldn't mention there names, this guy might use that info to break into my account'. Of course not! Why then, is this kind of information considered to be a valid form of identification.

Let's consider the best case, you live by yourself in the mountains with 20 cats and no one knows any of their names. The attacker realizes he can't get the cats names from you so he will just guess. He tries Tigger, Boots, Fluffy (top 20 pet names: http://www.bowwow.com.au/top20/index.asp). How many popular names are out there for cats 20, 50, 100? Sure, 100 possibilities is more than a few, but that pales in comparison to a password. A 7 character password with numbers and letters has 78 million possibilities (78,364,164,096 to be exact). I sure bet the attacker has a better chance at guessing your pet's name than guessing your password. True there may be some other controls present such as an email to the registered email for the account with a reset link, but realistically the solution is still misguided if it is using simple questions at all.

I guess those hackers are on to something...

-Michael Coates