
How I Stole Someone's Identity Using the Internet - makimaki
http://www.sciam.com/article.cfm?id=anatomy-of-a-social-hack&sc=rss
======
tptacek
This is why you absolutely need to safeguard user passwords. 60-70% of your
users will use a variant of their email password for your app as well. Normal
people don't memorize or write down 10 passwords, or even 2. Lose a user's
password, you've cost them their bank accounts.

~~~
aneesh
You sorta missed the point. Kim never gave a single password out. The
"security questions" on one of her accounts allowed access to her account by
anyone who could answer them. The weakness was largely her college's fault for
having such weak validation, and also her fault for using that email as the
secondary for her GMail.

~~~
stcredzero
I don't think he missed the point. The point is that user management of
multiple passwords just doesn't work. This includes the reusing of passwords
for multiple accounts and there being too many disparate password recovery
schemes. There is too much asked of both implementers of web apps and users of
web apps.

------
sysop073
It's been talked about before, but the "password reset" concept really needs
to be looked at. Compromising somebody's e-mail means you have access to
everything they've ever signed up for, because every site has a password reset
and lots of them just send an e-mail without any further questions

~~~
tptacek
What's the solution to this? Phone support? You can add "secret questions",
but users will lose those too.

~~~
alex_c
I've never found myself in a situation where I REALLY need to reset a password
to a free web service.

I've had to reset school and bank related passwords, which I've done in person
or over the phone.

I have reset passwords for free web services, but I could've lived with just
making a new account. If I forgot my password, it's because I'm not using it -
if it's free and I'm not using it, chances are I don't really care about it.

I've never had to reset my password for free web services I CARE about,
because I use them regularly.

What I'm getting at is - do free services really need unverified password
resets? If it's a paid service, it's easier to justify the cost of phone
support.

~~~
tptacek
If you keep your company's business in a Basecamp account, and you lose the
password, what are you going to do? Give up and spend the money for a new
Basecamp account?

People forget passwords _all the time_. Spend some time in an F2k IT
department; they have whole teams of people and actual application development
projects dedicated to trying to solve this one problem.

~~~
alex_c
Basecamp isn't free, so they can likely devote a few more resources to a
slightly more stringent password reset system than, say,
icanhascheezburger.com.

What I was trying to put forward for discussion is the idea that if a site
can't do password resets "properly" (by phone? or something more secure than
the example given in the article) then maybe it shouldn't do it at all, and
that this might not be as catastrophic for the user as it seems, since the
site is less likely to be essential.

Looking at what I use online:

\- all my server stuff: Extremely important, but it's my own problem.

\- online banking, bills, etc: Important stuff, not free. I'd be really upset
if I got permanently locked out, but all can be reset by phone.

\- Digg, Reddit, News.YC, even Facebook: Not important stuff, free. I wouldn't
really care if I have to make another account.

\- Gmail: This is the only one which doesn't fit. However, I use it daily, so
I'm not going to forget my password. On the flip side, if I used it only once
a year, it obviously wouldn't be that important to me.

Yeah, I know it's not very realistic, and it's probably not something I'm
willing to practice myself. Consider it a thought experiment.

------
lpgauth
This is why the answer to my secret question is always my password.

------
sh1mmer
Do people think that a decent OpenID provider would sort this out?

I quite like the idea of using an OpenID provider for everything which had
very strong authentication (e.g RSA fob). You'd only need to log in a couple
of times a day with a login timeout of an a few hours.

~~~
t0pj
<http://news.ycombinator.com/item?id=199784>

------
vaksel
I got caught like this once. Someone hacked a forum I visit, and they got the
same password I used for my email. Luckily they didn't do anything, and I
changed my password before any damage was done.

Now I have about a dozen different passwords. And to tell the truth its really
not that confusing, I have one main one for BS stuff, but all the vital
information usually has its own password.

------
zby
That domino effect was rather obvious. A slightly less obvious dangers:
[http://vanelsas.wordpress.com/2008/08/18/the-unexpected-
dang...](http://vanelsas.wordpress.com/2008/08/18/the-unexpected-dangers-of-
social-media/)

