Reasonable people can disagree about whether they feel that revealing their father’s middle name is too much information. Although I may not consider a particular bit of personal information to be sensitive or confidential, you may very legitimately feel otherwise. Yet security questions may ask you to provide exactly the sort of information you would rather not share. You, for whatever reason, may not wish to let the world know what your father’s middle name is. I’ll get back to that later, but first I’d like to point out a couple of other points (beyond guessability and reuse) about why being careful even with security questions is also so important. Naturally, the whole problem is solved if you don’t have to remember your security questions and answers yourself-you can just let 1Password do the remembering for you. If my father’s middle name is Walter, then that is what I would normally answer every place that I am asked. The point of security questions is that they are something that the user can remember because they are true things that the user knows it is exactly that which makes them easy to guess. In the case of people who’ve written auto-biographies, the information can be all in one place. Parents’ names, for example, are available on birth certificates (which are a matter of public record in many places) and other information can often be gleaned with a bit of research. Quite simply, the information in these questions and answers are not really very secret. It was neither the first nor the last time that so-called security questions have been used to compromise accounts.
BATTLENET FORGOT PASSWORD PASSWORD
In March 2010 someone going by the handle “Hacker Croll” gained control of President Obama’s and other celebrities’ Twitter accounts by “simply working out the answers to password reminder questions on targets’ e-mail accounts” according to the BBC. These questions are typically things like your mother’s maiden name or street where you lived when you were 10 years old. We’ve all seen – and probably made use of – schemes on websites that will let you reset your password if you can answer a few security questions (I’ll drop the scare quotes from here on out, no matter how poorly I think the name fits what they do). This is a bigger problem because even people who are careful to not reuse the same password at multiple sites may provide the same answers to “security questions” everywhere. The Blizzard data theft also includes “the answer to the personal security question”. It’s the security questions that worry me
Unless I have misunderstood something, I believe that their use of SRP, while cool and good for some purposes, is not relevant to this particular case. So Blizzard has certainly done a far better job in protecting users than, say, LinkedIn, which did not salt at all, but we don’t know exactly how much better. That tells us that the passwords were hashed and salted (see “ A salt-free diet is bad for your security” for an explanation of what that all means). We use Secure Remote Password protocol (SRP) to protect these passwords, which is designed to make it extremely difficult to extract the actual password, and also means that each password would have to be deciphered individually From Blizzard’s announcement, we do know that the passwords were salted and hashed, but we don’t know whether it was simple salting (and how big the salt is) or whether they used something like PBKDF2. One thing we don’t know yet is exactly how well hashed the passwords are.
0 kommentar(er)
