Friday, 14 March 2008

Problems with resets

When a user forgets their password on most e-commerce sites, there generally exists a reset function allowing them to reset or create a new passphrase. The question here is, if you require users to have eight characters or more in their password, why would you allow such a common reset function?

The answer is simplicity. We don't want to make things difficult for the customer. This is a valid concern, however, how many customers do we expect to retain if their credentials are compromised.

Some of the more common secret questions include:

  • What type of vehicle was sure first car?
  • What is your favourite colour?
  • What is the name your pet?
  • what is your mother's maiden name?
The issue with these is quite simple. They provide very small key spaces. If we look at these one by one we can see just how small they actually are. First what type of vehicle was your first car can be entered with a key space based on a selection of approximately 30 major manufacturers. In fact, if we know something more about the user this can be narrowed down further but at worst, most of our accounts will yield to the equivalent of a one character password.

Next, how many colours are there? this is a confusing question in a way as we are not looking at how many colours actually exist but how many common names of colours exist. The fact that your computer displays 16 million or more colours is irrelevant. Ask yourself how many of those can you action in name. In fact, there are seven main colours that people are likely to choose out of a possible choice (dependent on their vocabulary) of between 20 and 100. By selecting a "key space" of 20 we would account for at least 95% of the population. After all do any all the accounts on a system just the majority of them.

The name of your pet is another common question that has a simple answer. The majority of people used the same names for their pets and on top of this they are generally easy to discover as they may be blogged, stored on social networking or otherwise easily available. Our key space would be expected to be in the order of between 20 and 30 names to cover about 90% of the population.

the last secret is a little bit more difficult, excepting of course if your mother had Smith, Jones or Wright as a last name for instance. In this case the secret name space is larger, however, it is still simple to compromise. It is generally not that difficult to find out someone's mother's maiden name. The increasing use of genealogy networks, blogging and other means make targeted attacks extremely simple.

When setting secret questions, it is essential that multiple questions are selected. Have the client create three or four secret question and answer combinations. Randomly assign two of these at the time of reset. Rather than a simple recovery from a single short question, as least adds an element of randomness and makes it more difficult to compromise.

Even taking into account a random selection of 4 questions, our key space is still only in the order of 200k characters (most of which are dictionary words). We're still only looking at something simple but least it is a marked improvement on the single question and 1 in 20 guessing exercise.

No comments: